Analysis

  • max time kernel
    4294209s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    10/03/2022, 03:46

General

  • Target

    68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe

  • Size

    430KB

  • MD5

    5be38d3bc0d36a3b177d1979dc0c4f66

  • SHA1

    596a4027afbcfa3b286972c777e52e16759bf809

  • SHA256

    68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764

  • SHA512

    f71fc5f4ed65286e1416d4bea0e4fac5b658ef0d835a659e47aae6b123b81687979644d16b669d2f3f8331ace293e260d2f0a34df17402f5d2292e55f924cfa3

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YWhoQG..GhvdG1...

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 9 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs
  • Loads dropped DLL 11 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
    "C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe
      "C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Users\avatarrr\AppData\Roaming\Microsoft\Local\svchost.exe
        "C:\Users\avatarrr\AppData\Roaming\Microsoft\Local\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1556
    • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: SetClipboardViewer
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:620
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:1456
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 540
          3⤵
          • Loads dropped DLL
          PID:764

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/472-76-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

            Filesize

            9.6MB

          • memory/472-77-0x0000000001F40000-0x0000000001F42000-memory.dmp

            Filesize

            8KB

          • memory/472-75-0x000007FEF2BF0000-0x000007FEF3C86000-memory.dmp

            Filesize

            16.6MB

          • memory/472-80-0x0000000001F46000-0x0000000001F65000-memory.dmp

            Filesize

            124KB

          • memory/600-78-0x0000000074430000-0x00000000749DB000-memory.dmp

            Filesize

            5.7MB

          • memory/600-79-0x0000000000A90000-0x0000000000A91000-memory.dmp

            Filesize

            4KB

          • memory/600-98-0x0000000000AA6000-0x0000000000AA7000-memory.dmp

            Filesize

            4KB

          • memory/600-94-0x0000000000A95000-0x0000000000AA6000-memory.dmp

            Filesize

            68KB

          • memory/620-93-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/620-88-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/764-105-0x00000000003E0000-0x00000000003E1000-memory.dmp

            Filesize

            4KB

          • memory/1456-101-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/1456-95-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/1456-99-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/1556-87-0x0000000000936000-0x0000000000955000-memory.dmp

            Filesize

            124KB

          • memory/1556-86-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

            Filesize

            9.6MB

          • memory/1556-83-0x000007FEEE1B0000-0x000007FEEF246000-memory.dmp

            Filesize

            16.6MB

          • memory/1556-85-0x0000000000930000-0x0000000000932000-memory.dmp

            Filesize

            8KB

          • memory/1556-84-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

            Filesize

            9.6MB

          • memory/1940-54-0x0000000076A01000-0x0000000076A03000-memory.dmp

            Filesize

            8KB