Analysis

  • max time kernel
    4294213s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    10/03/2022, 04:16

General

  • Target

    673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe

  • Size

    578KB

  • MD5

    acf9e25c86232c4508b3cb2b94240efc

  • SHA1

    72bf43d4cdaef66fe09033a5b3c5ca71129c9215

  • SHA256

    673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996

  • SHA512

    296261037a6ceb1d1e43994a8d54c63ac17ee1be5c3f234bd10d38dc0121237e94d9cf16e54bea61dda0367596918ebd95d23e50fa1c40dd7f2e2a87365d8e1d

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
    "C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
          PID:1600

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/304-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

            Filesize

            8KB

          • memory/1600-65-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

          • memory/1932-62-0x00000000743C0000-0x000000007496B000-memory.dmp

            Filesize

            5.7MB

          • memory/1932-63-0x00000000009E0000-0x00000000009E1000-memory.dmp

            Filesize

            4KB

          • memory/1932-64-0x00000000743C0000-0x000000007496B000-memory.dmp

            Filesize

            5.7MB