Overview

overview

10

Static

static

O729202098...DF.exe

windows7_x64

10

O729202098...DF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    O7292020987725545.PDF.exe

  • Size

    784KB

  • MD5

    ea1fd15ccebbaf20b2d2c20e59289e2c

  • SHA1

    6c6fa518ea45ecefb182e7906aad81fc77b8bb4f

  • SHA256

    814a5dc8dbe791a8e554c6823eedb3b4e9bfcd1006901df2f3468f71d1dd8437

  • SHA512

    42143fa1befcf6afa28f454677963f509c9e044fbd26a0043659422cc009c1555b9a221d3a15fe2fd96b218c9a8e390e70cea4bdef00a0e30ba049babb4bb9d7

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\O7292020987725545.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\O7292020987725545.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\O7292020987725545.PDF.exe
      "{path}"
      2⤵
        PID:4956
      • C:\Users\Admin\AppData\Local\Temp\O7292020987725545.PDF.exe
        "{path}"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:5044
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\O7292020987725545.PDF.exe.log
      Filesize

      1KB

      MD5

      8ec831f3e3a3f77e4a7b9cd32b48384c

      SHA1

      d83f09fd87c5bd86e045873c231c14836e76a05c

      SHA256

      7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

      SHA512

      26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      3KB

      MD5

      f94dc819ca773f1e3cb27abbc9e7fa27

      SHA1

      9a7700efadc5ea09ab288544ef1e3cd876255086

      SHA256

      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

      SHA512

      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

      Download Submit

    • memory/2028-131-0x0000000005DF0000-0x0000000006394000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2028-132-0x0000000005840000-0x00000000058D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2028-133-0x0000000005810000-0x000000000581A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2028-134-0x00000000093D0000-0x000000000946C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2028-130-0x0000000000EB0000-0x0000000000F7A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2040-144-0x0000000000000000-mapping.dmp

      Download

    • memory/2040-150-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2040-149-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2040-146-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4576-140-0x0000000007D80000-0x0000000007DE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4576-139-0x00000000053A0000-0x00000000053F6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4576-137-0x0000000000400000-0x0000000000488000-memory.dmp

      Filesize

      544KB

      Download

    • memory/4576-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4956-135-0x0000000000000000-mapping.dmp

      Download

    • memory/5044-142-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/5044-141-0x0000000000000000-mapping.dmp

      Download

    • memory/5044-145-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/5044-148-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download