Analysis

  • max time kernel
    153s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22/02/2022, 22:47

General

  • Target

    07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe

  • Size

    520KB

  • MD5

    6f4cc7f74974e70f6d046529ff575022

  • SHA1

    77f216cb385b8a612ea12915918fec3e6d17a7a6

  • SHA256

    07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf

  • SHA512

    1862dafb703df2db42a8699d5137e5e9659ce0daa3f9af8d1fe6a44228f22bf70917ad1354f309949f53528255d13c2e1057dfff304d22c05841d0de6e278e72

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hell-no123!

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe
    "C:\Users\Admin\AppData\Local\Temp\07530460c9d449daa4faba251277a00cf26e741a144e0dcb8e55f27ab4f54caf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
      • Accesses Microsoft Outlook accounts
      PID:240
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      2⤵
        PID:1860
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 1144
        2⤵
          PID:2012

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/240-58-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

            • memory/240-61-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

            • memory/1648-54-0x0000000076451000-0x0000000076453000-memory.dmp

              Filesize

              8KB

            • memory/1648-55-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

              Filesize

              4KB

            • memory/1648-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

              Filesize

              4KB

            • memory/1648-57-0x0000000074DD2000-0x0000000074DD4000-memory.dmp

              Filesize

              8KB

            • memory/1648-60-0x00000000002E5000-0x00000000002F6000-memory.dmp

              Filesize

              68KB

            • memory/1648-64-0x00000000002F6000-0x00000000002F7000-memory.dmp

              Filesize

              4KB

            • memory/1860-62-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

            • memory/1860-65-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

            • memory/2012-68-0x0000000000610000-0x0000000000611000-memory.dmp

              Filesize

              4KB