Analysis Overview
SHA256
70ef3c88a90dd590de9a0ac4634b5017f35ea6dedec14f3cc3b5d9eeb3ca84a2
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.AutoIt.316.10986.27538 was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
M00nd3v_Logger
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
M00nD3v Logger Payload
Uses the VBS compiler for execution
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
autoit_exe
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-10 12:36
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-10 12:36
Reported
2021-12-10 12:38
Platform
win7-en-20211208
Max time kernel
152s
Max time network
122s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2040 set thread context of 1332 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2040 set thread context of 308 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp514B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4461.tmp"
Network
Files
memory/1936-55-0x00000000760F1000-0x00000000760F3000-memory.dmp
memory/1936-56-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2040-57-0x0000000000100000-0x0000000000190000-memory.dmp
memory/2040-58-0x0000000000100000-0x0000000000190000-memory.dmp
memory/2040-63-0x000000000018B2FE-mapping.dmp
memory/2040-64-0x0000000000100000-0x0000000000190000-memory.dmp
memory/2040-65-0x0000000000100000-0x0000000000190000-memory.dmp
memory/2040-67-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1332-68-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-69-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-70-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-71-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-72-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-74-0x000000000044472E-mapping.dmp
memory/1332-73-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1332-77-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2040-76-0x00000000009F1000-0x00000000009F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp514B.tmp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/308-79-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-80-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-81-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-82-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-83-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-84-0x0000000000400000-0x000000000041C000-memory.dmp
memory/308-85-0x000000000041211A-mapping.dmp
memory/308-87-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2040-88-0x00000000009F6000-0x0000000000A07000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-10 12:36
Reported
2021-12-10 12:38
Platform
win10-en-20211208
Max time kernel
122s
Max time network
129s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3724 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2020 set thread context of 4512 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2020 set thread context of 3352 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.316.10986.27538.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAD9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1114.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/2020-115-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2020-120-0x000000000048B2FE-mapping.dmp
memory/3724-121-0x0000000004440000-0x0000000004441000-memory.dmp
memory/2020-122-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/2020-123-0x00000000029D1000-0x00000000029D2000-memory.dmp
memory/4512-124-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4512-125-0x000000000044472E-mapping.dmp
memory/4512-126-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAD9.tmp
| MD5 | 598aedc3862250a8590740a47d090605 |
| SHA1 | 74d0d250683a480af0d2cf8d826d1f572f7ef5fd |
| SHA256 | 1b316d5728580fdf74ad8b6841b94dbe683b6d62c087eddf636f0599306e5172 |
| SHA512 | 5096f5b3236b4f8f0346e3b0f20ee01ca5dc7e0ff41f4dddc2ea9658cbd7f8e05fa1276f5b0363f8696da83c402db8507ed636971ffc00bd36d1c8179f92a282 |
memory/3352-129-0x000000000041211A-mapping.dmp
memory/3352-128-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3352-130-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2020-131-0x00000000029D4000-0x00000000029D6000-memory.dmp