Analysis

  • max time kernel
    137s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22/02/2022, 22:53

General

  • Target

    0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe

  • Size

    521KB

  • MD5

    d4f46b9f4fe5b1d4a86c0e24fdcc4dae

  • SHA1

    846da87986e53202f4ebf79ff780e96331711b08

  • SHA256

    0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c

  • SHA512

    605782e589e17cdfee5ca5f0694aea7caffbc06f92ff31fb2c822b17ba6eef92865ba0fedf3fe8f11cefb34110308ad10af190a5423a7e4d90061979e9dcebae

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    GODbless888

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe
    "C:\Users\Admin\AppData\Local\Temp\0718776d7e388781aba2fc604ff137e7122d113d71222ed856c08cca3898186c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:2040
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1372
          3⤵
          • Loads dropped DLL
          PID:1556

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/520-68-0x0000000000465000-0x0000000000476000-memory.dmp

            Filesize

            68KB

          • memory/520-62-0x00000000747E1000-0x00000000747E2000-memory.dmp

            Filesize

            4KB

          • memory/520-63-0x0000000000460000-0x0000000000461000-memory.dmp

            Filesize

            4KB

          • memory/520-64-0x00000000747E2000-0x00000000747E4000-memory.dmp

            Filesize

            8KB

          • memory/520-70-0x0000000000476000-0x0000000000477000-memory.dmp

            Filesize

            4KB

          • memory/1060-66-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/1060-69-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/1556-77-0x0000000002510000-0x0000000002511000-memory.dmp

            Filesize

            4KB

          • memory/1748-57-0x00000000747E2000-0x00000000747E4000-memory.dmp

            Filesize

            8KB

          • memory/1748-55-0x00000000747E1000-0x00000000747E2000-memory.dmp

            Filesize

            4KB

          • memory/1748-56-0x00000000021E0000-0x00000000021E1000-memory.dmp

            Filesize

            4KB

          • memory/1748-54-0x0000000075761000-0x0000000075763000-memory.dmp

            Filesize

            8KB

          • memory/2040-71-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/2040-73-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB