Analysis
-
max time kernel
63s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 02:06
General
-
Target
Inv.exe
-
Size
744KB
-
MD5
f8433b692958fa0ce7659e63203b60de
-
SHA1
dd6595d2e6d5bdf54e718b07c94fc964eab69365
-
SHA256
69b49da3c4767d2ffcd713aeea8343e1aa2f0be88512fc9c4d86a932b4ee6cb5
-
SHA512
343ab88a59614251a2323af2b886069e5507aef04421c1b937661868a4c1c3332c60af85307b2b4dc21632c983e85372486ea6f5adfb3ffefeb11cb186718a6c
Score
10/10
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Inv.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.logMD5
553cfcb8247e9e828eef0474e2134fac
SHA1362c3f93dccc66f3bbfaf5ef681a11a0c7bc7316
SHA256a753cbd5f89b034eaeeb02fa8f0924bab30e84d86d02686fdf7c0228d8a00d54
SHA51218b4174286f47b41f47e964c5368b453eba4a23331958e7b982017f965a434aa80c0d3504d13521a9f0550bba4c2b7a62543553d4ddfdf6e1f0c39c6ef542dc4
-
memory/1448-168-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/1448-148-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/1448-149-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/1448-145-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1448-150-0x0000000002A20000-0x0000000002A2A000-memory.dmpFilesize
40KB
-
memory/1448-151-0x0000000005290000-0x00000000052E6000-memory.dmpFilesize
344KB
-
memory/1568-134-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/1568-130-0x0000000000B60000-0x0000000000C20000-memory.dmpFilesize
768KB
-
memory/1568-136-0x0000000005840000-0x00000000058DC000-memory.dmpFilesize
624KB
-
memory/1568-135-0x0000000006480000-0x0000000006A24000-memory.dmpFilesize
5.6MB
-
memory/1568-133-0x0000000005A00000-0x0000000005ECC000-memory.dmpFilesize
4.8MB
-
memory/1568-132-0x0000000002ED0000-0x0000000002ED1000-memory.dmpFilesize
4KB
-
memory/1568-131-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/1940-177-0x000002B274000000-0x000002B274004000-memory.dmpFilesize
16KB
-
memory/1940-165-0x000002B273D30000-0x000002B273D34000-memory.dmpFilesize
16KB
-
memory/2176-137-0x00000000023A0000-0x00000000023D6000-memory.dmpFilesize
216KB
-
memory/2176-166-0x0000000006220000-0x000000000623A000-memory.dmpFilesize
104KB
-
memory/2176-142-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/2176-144-0x00000000024B2000-0x00000000024B3000-memory.dmpFilesize
4KB
-
memory/2176-143-0x0000000005660000-0x00000000056C6000-memory.dmpFilesize
408KB
-
memory/2176-141-0x0000000074F60000-0x0000000075710000-memory.dmpFilesize
7.7MB
-
memory/2176-164-0x0000000006FE0000-0x0000000007076000-memory.dmpFilesize
600KB
-
memory/2176-146-0x0000000004A40000-0x0000000004A5E000-memory.dmpFilesize
120KB
-
memory/2176-139-0x0000000004BD0000-0x0000000004BF2000-memory.dmpFilesize
136KB
-
memory/2176-167-0x0000000006290000-0x00000000062B2000-memory.dmpFilesize
136KB
-
memory/2176-140-0x00000000055F0000-0x0000000005656000-memory.dmpFilesize
408KB
-
memory/2176-138-0x0000000004EC0000-0x00000000054E8000-memory.dmpFilesize
6.2MB
-
memory/3684-176-0x000001D3581F0000-0x000001D3581F4000-memory.dmpFilesize
16KB
-
memory/3684-169-0x000001D355570000-0x000001D355580000-memory.dmpFilesize
64KB