hawkeye | 7b74117a34e84a659a35437ab43b27c55f129c1717f92b116dc5533c27bdbc5a

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7v20201028
submitted
12-12-2020 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4 Crack.bin.exe
Size

1.7MB
MD5

6a669de1d724cc4874c42ae535ca892d
SHA1

de905655fd632fff874bc907726e9b9a16886ea9
SHA256

5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
SHA512

23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
motionalt1@gmail.com
Password:
you@regay

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Defender.exeDefender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe

Executes dropped EXE 5 IoCs

Processes:

Windows Update.exeEBFile_2.exeEBFile_3.exeDefender.exeDefender.exe

pid process

1580 Windows Update.exe
908 EBFile_2.exe
852 EBFile_3.exe
2032 Defender.exe
944 Defender.exe
Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

1580 Windows Update.exe
Loads dropped DLL 4 IoCs

Processes:

Vape V4 Crack.bin.exeWindows Update.exeEBFile_2.exe

pid process

1084 Vape V4 Crack.bin.exe
1580 Windows Update.exe
1580 Windows Update.exe
908 EBFile_2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1084	Vape V4 Crack.bin.exe
1580	Windows Update.exe
1580	Windows Update.exe
908	EBFile_2.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Defender.exeDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 whatismyipaddress.com
6 whatismyipaddress.com
8 whatismyipaddress.com

flow	ioc
9	whatismyipaddress.com
6	whatismyipaddress.com
8	whatismyipaddress.com

Drops file in System32 directory 2 IoCs

Processes:

Defender.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Defender.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Defender.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 1580 set thread context of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 set thread context of 1372	1580	Windows Update.exe	vbc.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EBFile_3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EBFile_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	EBFile_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	EBFile_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	EBFile_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	EBFile_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EBFile_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EBFile_3.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1560 NOTEPAD.EXE

pid	process
1560	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1859 IoCs

Processes:

Windows Update.exe

pid	process
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe
1580	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Windows Update.exeEBFile_3.exeDefender.exe

description	pid	process
Token: SeDebugPrivilege	1580	Windows Update.exe
Token: SeDebugPrivilege	852	EBFile_3.exe
Token: SeDebugPrivilege	2032	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	2032	Defender.exe
Token: SeIncreaseQuotaPrivilege	2032	Defender.exe
Token: 0	2032	Defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1580 Windows Update.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

Vape V4 Crack.bin.exeWindows Update.exeEBFile_2.exeEBFile_3.execmd.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1084 wrote to memory of 1580	1084	Vape V4 Crack.bin.exe	Windows Update.exe
PID 1580 wrote to memory of 1560	1580	Windows Update.exe	NOTEPAD.EXE
PID 1580 wrote to memory of 1560	1580	Windows Update.exe	NOTEPAD.EXE
PID 1580 wrote to memory of 1560	1580	Windows Update.exe	NOTEPAD.EXE
PID 1580 wrote to memory of 1560	1580	Windows Update.exe	NOTEPAD.EXE
PID 1580 wrote to memory of 908	1580	Windows Update.exe	EBFile_2.exe
PID 1580 wrote to memory of 908	1580	Windows Update.exe	EBFile_2.exe
PID 1580 wrote to memory of 908	1580	Windows Update.exe	EBFile_2.exe
PID 1580 wrote to memory of 908	1580	Windows Update.exe	EBFile_2.exe
PID 1580 wrote to memory of 852	1580	Windows Update.exe	EBFile_3.exe
PID 1580 wrote to memory of 852	1580	Windows Update.exe	EBFile_3.exe
PID 1580 wrote to memory of 852	1580	Windows Update.exe	EBFile_3.exe
PID 1580 wrote to memory of 852	1580	Windows Update.exe	EBFile_3.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1844	1580	Windows Update.exe	vbc.exe
PID 908 wrote to memory of 2032	908	EBFile_2.exe	Defender.exe
PID 908 wrote to memory of 2032	908	EBFile_2.exe	Defender.exe
PID 908 wrote to memory of 2032	908	EBFile_2.exe	Defender.exe
PID 908 wrote to memory of 2032	908	EBFile_2.exe	Defender.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 1580 wrote to memory of 1372	1580	Windows Update.exe	vbc.exe
PID 852 wrote to memory of 1652	852	EBFile_3.exe	WScript.exe
PID 852 wrote to memory of 1652	852	EBFile_3.exe	WScript.exe
PID 852 wrote to memory of 1652	852	EBFile_3.exe	WScript.exe
PID 852 wrote to memory of 1568	852	EBFile_3.exe	cmd.exe
PID 852 wrote to memory of 1568	852	EBFile_3.exe	cmd.exe
PID 852 wrote to memory of 1568	852	EBFile_3.exe	cmd.exe
PID 1568 wrote to memory of 1508	1568	cmd.exe	choice.exe
PID 1568 wrote to memory of 1508	1568	cmd.exe	choice.exe
PID 1568 wrote to memory of 1508	1568	cmd.exe	choice.exe
PID 1652 wrote to memory of 2032	1652	WScript.exe	WScript.exe
PID 1652 wrote to memory of 2032	1652	WScript.exe	WScript.exe
PID 1652 wrote to memory of 2032	1652	WScript.exe	WScript.exe
PID 2032 wrote to memory of 1624	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1624	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1624	2032	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BFile_1.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1560

C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
"C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
4⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
5⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
PID:944

C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
"C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\finalres.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp.\finalres2.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp.\finalres.bat" "
6⤵
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1372

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFile_1.txt
MD5
1a315f228b55458f972213ed7d06a82d

SHA1
abd233b01b6532ff259e574f95f218a11c5b6caa

SHA256
f31a1549c0ded4a9de1cfc44a7fe54b95c233379dae6dc58c56609a2381cc7f5

SHA512
9427ec6918639f3e0f12f2cbcb6a4f2b379cdb5e7042993a53b74077139817f711e5ded15579a3a8e5ae9c47216c618dfee96847b340e58cf8e8475a5ac828cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
MD5
1d6a2397610b09dd6b49785182fd13d2

SHA1
4a4ccd35f98544d0dd5bd6a30f9101c7babb36d3

SHA256
e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923

SHA512
fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
MD5
1d6a2397610b09dd6b49785182fd13d2

SHA1
4a4ccd35f98544d0dd5bd6a30f9101c7babb36d3

SHA256
e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923

SHA512
fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
MD5
fde2f12ea09556a7d28e4d10a80c0e88

SHA1
9c44959deda54054be62d00fc1bd8254efcf4f69

SHA256
53509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968

SHA512
c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
MD5
fde2f12ea09556a7d28e4d10a80c0e88

SHA1
9c44959deda54054be62d00fc1bd8254efcf4f69

SHA256
53509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968

SHA512
c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
MD5
6d36037988c328ba2fe31d405e118572

SHA1
db5d7a91456262daa9c9807602730fc92f490f8b

SHA256
af1deef9bf3f5a67a2e594ffe2092d52520806c63df035d664de4dda83f697e5

SHA512
8fe19e4aee0e351230a21b5a8152f48e6f163af64fcd9918bca28178db38f12e5b953294941756d87871b25390e6d999e78e01c529ed87653e0044d181464fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres.bat
MD5
2574c5b67cffffae5c7a056455d1d3ae

SHA1
2386d127b47e27b236eb0cb6d90ffa67376891d2

SHA256
b25df4870b5e471b57431771df6dbb10c68b0eb8f9d5fef9c72e4cf3844dc9fc

SHA512
be6930b803980d1ed71cb2c9907884d172a93ad3f34cffda2ceadf3afad9fe3e354d95bebc250bf2db1179fd9cbaa57da71925e45f2f2430d3ae72f587a9d610

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres.vbs
MD5
cbca85af83070314b060c23175f9f4df

SHA1
a881531b0a737c4cd2a910478836ad0d78a5d4c0

SHA256
97de4041a56e13945df8a7db417de01f4ea5f1ece5623fb557b5d8e36e4f2f91

SHA512
ea74acef42ca1558a0734b7adf5ee9192e244f0d9b30985ae7ad3dfb0d303205d51f863e10b0f4ad00165c0aa70edf48a4a9f002c8752e75c7e059b567b5c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres2.vbs
MD5
50f631e85016c256f4f103d8a8f711b1

SHA1
2e39050ce0bc06e9426f3ac440fec9067777eba2

SHA256
8610901e51055bcbbef41f30194f46a13ecfaf1876a2019de0c9078d67d63bb4

SHA512
b5e643cbdaac4a07d31ea71c001e514ccf165a03e207f773a87c633f4d8728049eccb775d7f594ad6225dda2b73538e323861438957ab5453ca1140529a3f80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
6a669de1d724cc4874c42ae535ca892d

SHA1
de905655fd632fff874bc907726e9b9a16886ea9

SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454

SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
6a669de1d724cc4874c42ae535ca892d

SHA1
de905655fd632fff874bc907726e9b9a16886ea9

SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454

SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Download Submit
\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
\Users\Admin\AppData\Local\Temp\EBFile_2.exe
MD5
1d6a2397610b09dd6b49785182fd13d2

SHA1
4a4ccd35f98544d0dd5bd6a30f9101c7babb36d3

SHA256
e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923

SHA512
fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82

Download Submit
\Users\Admin\AppData\Local\Temp\EBFile_3.exe
MD5
fde2f12ea09556a7d28e4d10a80c0e88

SHA1
9c44959deda54054be62d00fc1bd8254efcf4f69

SHA256
53509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968

SHA512
c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
6a669de1d724cc4874c42ae535ca892d

SHA1
de905655fd632fff874bc907726e9b9a16886ea9

SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454

SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Download Submit
memory/748-35-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/852-14-0x0000000000000000-mapping.dmp

Download
memory/852-17-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/852-23-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/908-25-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/908-10-0x0000000000000000-mapping.dmp

Download
memory/908-19-0x00000000708D0000-0x0000000070FBE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-33-0x0000000000442628-mapping.dmp

Download
memory/1372-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1372-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1508-40-0x0000000000000000-mapping.dmp

Download
memory/1560-7-0x0000000000000000-mapping.dmp

Download
memory/1568-39-0x0000000000000000-mapping.dmp

Download
memory/1580-3-0x0000000000000000-mapping.dmp

Download
memory/1624-45-0x0000000000000000-mapping.dmp

Download
memory/1652-43-0x0000000002580000-0x0000000002584000-memory.dmp

Filesize
16KB

Download
memory/1652-37-0x0000000000000000-mapping.dmp

Download
memory/1844-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1844-21-0x0000000000411654-mapping.dmp

Download
memory/1844-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-42-0x0000000000000000-mapping.dmp

Download
memory/2032-28-0x0000000000000000-mapping.dmp

Download
memory/2032-46-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download