Overview

overview

10

Static

static

Versanddetails.exe

windows7_x64

10

Versanddetails.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    31-07-2020 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Versanddetails.exe

  • Size

    596KB

  • MD5

    269a05d36d071c206dc87187d6136352

  • SHA1

    85f8c093f487db02ebbbda53d0893be9bdbc0ace

  • SHA256

    b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385

  • SHA512

    2449cc3e98eb46ffb373552fe1ca7cca4fea9628482e0f3214a2ef19a97240b184eca1191607e6406d810238ef8a0a29030867bec0baf44a7c480d485d661ebc

Score
10/10
keyloggertrojanstealerspywarehawkeye

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 25 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 837 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Suspicious use of SetThreadContext 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Versanddetails.exe
    "C:\Users\Admin\AppData\Local\Temp\Versanddetails.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:3488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2484
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of SetThreadContext
        PID:412
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          3⤵
            PID:1468
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            3⤵
              PID:2668

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scripting

        1
        T1064

        Persistence

        Privilege Escalation

        Defense Evasion

        Scripting

        1
        T1064

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
          Download Submit
        • memory/412-0-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/412-1-0x0000000000480C5E-mapping.dmp
          Download
        • memory/1468-2-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/1468-3-0x0000000000411654-mapping.dmp
          Download
        • memory/1468-4-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2668-5-0x0000000000400000-0x0000000000458000-memory.dmp
          Filesize

          352KB

          Download
        • memory/2668-6-0x0000000000442628-mapping.dmp
          Download
        • memory/2668-7-0x0000000000400000-0x0000000000458000-memory.dmp
          Filesize

          352KB

          Download