Analysis

  • max time kernel
    139s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22/02/2022, 20:49

General

  • Target

    0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe

  • Size

    506KB

  • MD5

    4c9b6f853ba3503aa128ed95bb9485c0

  • SHA1

    65c7ba7fd7bc6745ab4a2b2dde97015f64796995

  • SHA256

    0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25

  • SHA512

    8bdd7547ac203bb5a43deeb6070ca2bee5eada4bf6d7ea0b56f343a8fb5e4cbb18f9dd8595e1c15b4fc03c244f160e7a369ddbf415ada4a43404e73325ee6841

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    godfirst123123123

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7ccc82f62e6002f1182554550a78bfa76a439faab75c0c16f8396eb420ce25.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
      • Accesses Microsoft Outlook accounts
      PID:1140
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      2⤵
        PID:1164

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/288-55-0x0000000001F40000-0x0000000001F41000-memory.dmp

            Filesize

            4KB

          • memory/288-54-0x0000000073E41000-0x0000000073E42000-memory.dmp

            Filesize

            4KB

          • memory/288-56-0x0000000073E42000-0x0000000073E44000-memory.dmp

            Filesize

            8KB

          • memory/288-57-0x0000000076041000-0x0000000076043000-memory.dmp

            Filesize

            8KB

          • memory/288-58-0x0000000001F56000-0x0000000001F57000-memory.dmp

            Filesize

            4KB

          • memory/1140-59-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/1140-61-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/1164-62-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/1164-65-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB