Analysis Overview
SHA256
72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5
Threat Level: Known bad
The file 72e559bf1066cdbca5974a3155e7262b7b536e2f654aa18d7530354a407f8bc5 was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
Modifies Windows Defender Real-time Protection settings
Looks for VirtualBox Guest Additions in registry
ReZer0 packer
NirSoft MailPassView
Nirsoft
NirSoft WebBrowserPassView
Looks for VMWare Tools registry key
Checks BIOS information in registry
Windows security modification
Maps connected drives based on registry
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 14:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 14:22
Reported
2022-02-05 14:25
Platform
win7-en-20211208
Max time kernel
132s
Max time network
139s
Command Line
Signatures
HawkEye Reborn
Modifies Windows Defender Real-time Protection settings
Looks for VirtualBox Guest Additions in registry
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks for VMWare Tools registry key
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1312 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTpIzWFY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF028.tmp"
C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1312-54-0x0000000000CB0000-0x0000000000D66000-memory.dmp
memory/1312-55-0x0000000075D51000-0x0000000075D53000-memory.dmp
memory/1312-56-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/1312-57-0x00000000004F0000-0x00000000004FA000-memory.dmp
memory/1312-58-0x0000000005C10000-0x0000000005CA8000-memory.dmp
memory/1640-63-0x0000000001DA1000-0x0000000001DA2000-memory.dmp
memory/1640-62-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/1640-64-0x0000000001DA2000-0x0000000001DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF028.tmp
| MD5 | 9a3c01cc73f5b776b2a6ebec1ad30253 |
| SHA1 | fd7cf23cf99f43f2b40e6d036d90cdcda132a625 |
| SHA256 | 389957274be81b1b006282967c1aaa78bbb0408bf071d2cd51e0b483f2f1b6ef |
| SHA512 | df8ee318f065c58df6872771fa34e18b408cf0c6323a65edaeee9150b90f0d2fe15ca0aa6f734d121e06adbf81e2d789384e64be94802bf0623ac75d13c8c3b7 |
memory/1420-66-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-67-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-68-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-69-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-70-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-71-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1420-72-0x0000000004620000-0x0000000004696000-memory.dmp
memory/1420-73-0x00000000046F0000-0x00000000046F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 14:22
Reported
2022-02-05 14:25
Platform
win10v2004-en-20220113
Max time kernel
17s
Max time network
48s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\MT103 SWIFT_PDF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
memory/4680-130-0x0000000000670000-0x0000000000726000-memory.dmp
memory/4680-131-0x00000000055F0000-0x0000000005B94000-memory.dmp
memory/4680-132-0x00000000050E0000-0x0000000005172000-memory.dmp