Overview

overview

10

Static

static

0a6d73a1bc...65.exe

windows7_x64

10

0a6d73a1bc...65.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a6d73a1bcc11e982242053e69819765.exe

  • Size

    1.5MB

  • MD5

    0b272ce4504fea9ef39ffa6d17e6d89f

  • SHA1

    851fc630e6435135822079d8c8ed2924792b96b1

  • SHA256

    eea5bbf97d1865846716e179ccd5cd9c3f31b2244cf537ff7cba9f1903717ed1

  • SHA512

    cbb78ec8631476321daf791f7e532604a831e598159acbecdaf574aac04deb98f0170036297ffeafad9efaa9a11020060b7bcb670e4450764814649edd444395

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 907 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe
      "C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:500
      • C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe
        "C:\Users\Admin\AppData\Local\Temp\0a6d73a1bcc11e982242053e69819765.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
            PID:2304
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            4⤵
              PID:3468

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        MD5

        f94dc819ca773f1e3cb27abbc9e7fa27

        SHA1

        9a7700efadc5ea09ab288544ef1e3cd876255086

        SHA256

        a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

        SHA512

        72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

        Download Submit
      • C:\Windows\win.ini
        MD5

        6bf517432f65eb7f0d18d574bf14124c

        SHA1

        5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

        SHA256

        6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

        SHA512

        7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

        Download Submit
      • memory/500-2-0x0000000000000000-mapping.dmp
        Download
      • memory/2304-10-0x0000000000411654-mapping.dmp
        Download
      • memory/2304-9-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2304-11-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2624-6-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/2624-7-0x000000000040140A-mapping.dmp
        Download
      • memory/2624-8-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/3468-12-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/3468-13-0x0000000000442628-mapping.dmp
        Download
      • memory/3468-14-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download