Analysis

  • max time kernel
    4294208s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    10/03/2022, 02:55

General

  • Target

    6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe

  • Size

    522KB

  • MD5

    48d4d71b8425a1b2c6e338581eaa1a57

  • SHA1

    2eccb47306a0251a8767f80085c132807d24114e

  • SHA256

    6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b

  • SHA512

    c7048e207ed6d2d4efa85ace9e007325b0ac910d241d43a5bd5fc1e30cd5180651f494c08910c15d0b74555f6579976c332e2107642fad3af22588b573de6c4b

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe
    "C:\Users\Admin\AppData\Local\Temp\6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
      • Accesses Microsoft Outlook accounts
      PID:444
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      2⤵
        PID:1604
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 448
        2⤵
          PID:828

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/444-57-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

            • memory/444-60-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

            • memory/828-69-0x00000000005C0000-0x00000000005C1000-memory.dmp

              Filesize

              4KB

            • memory/964-54-0x0000000075131000-0x0000000075133000-memory.dmp

              Filesize

              8KB

            • memory/964-55-0x00000000746C0000-0x0000000074C6B000-memory.dmp

              Filesize

              5.7MB

            • memory/964-56-0x0000000002150000-0x0000000002151000-memory.dmp

              Filesize

              4KB

            • memory/964-61-0x0000000002155000-0x0000000002166000-memory.dmp

              Filesize

              68KB

            • memory/964-66-0x0000000002166000-0x0000000002167000-memory.dmp

              Filesize

              4KB

            • memory/1604-62-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

            • memory/1604-65-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB