Analysis

  • max time kernel
    158s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22/02/2022, 19:34

General

  • Target

    0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe

  • Size

    13.7MB

  • MD5

    c2183b7c9c1379e8f373afb7dc3ce5c6

  • SHA1

    aa108b83f7a8b3549da0d73fff9b7437a390ae74

  • SHA256

    0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2

  • SHA512

    cc2ef515ed510fb24c4646e485a91b48f8fd7a1c301d1097cb320dac84b527ac9674c39400bc095b17361ea375bb9b291fd714ce8c1efcd9a277d07a449ccdeb

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zcb79451

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zcb79451

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 13 IoCs
  • Executes dropped EXE 9 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 14 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe
      "C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt
        3⤵
        • Executes dropped EXE
        PID:1704
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt
        3⤵
        • Executes dropped EXE
        PID:1936
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt
        3⤵
        • Executes dropped EXE
        PID:1784
    • C:\Users\Admin\AppData\Local\Temp\34.exe
      "C:\Users\Admin\AppData\Local\Temp\34.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1920
    • C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe
      "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
        3⤵
          PID:1092
      • C:\Users\Admin\AppData\Local\Temp\result.exe
        "C:\Users\Admin\AppData\Local\Temp\result.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\result.exe" >> NUL
          3⤵
            PID:1860

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/740-54-0x0000000076041000-0x0000000076043000-memory.dmp

              Filesize

              8KB

            • memory/760-76-0x0000000072992000-0x0000000072994000-memory.dmp

              Filesize

              8KB

            • memory/760-75-0x0000000000B00000-0x0000000000B01000-memory.dmp

              Filesize

              4KB

            • memory/760-74-0x0000000072991000-0x0000000072992000-memory.dmp

              Filesize

              4KB

            • memory/1092-67-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

              Filesize

              8KB

            • memory/1092-80-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1092-77-0x0000000002020000-0x0000000002290000-memory.dmp

              Filesize

              2.4MB

            • memory/1660-70-0x0000000072F4E000-0x0000000072F4F000-memory.dmp

              Filesize

              4KB

            • memory/1660-78-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

              Filesize

              4KB

            • memory/1660-79-0x0000000000C60000-0x0000000000CC2000-memory.dmp

              Filesize

              392KB

            • memory/1660-73-0x00000000010E0000-0x0000000001174000-memory.dmp

              Filesize

              592KB

            • memory/1920-105-0x0000000000520000-0x0000000000521000-memory.dmp

              Filesize

              4KB

            • memory/1920-104-0x0000000072991000-0x0000000072992000-memory.dmp

              Filesize

              4KB

            • memory/1920-106-0x0000000072992000-0x0000000072994000-memory.dmp

              Filesize

              8KB

            • memory/1920-109-0x0000000000536000-0x0000000000537000-memory.dmp

              Filesize

              4KB