Overview

overview

10

Static

static

l018576683...DF.exe

windows7_x64

10

l018576683...DF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    104s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    l0185766832020805.PDF.exe

  • Size

    704KB

  • MD5

    97b7848d96c0c8597f343302ccb46c2d

  • SHA1

    7d83dc7b96f9a1b7791410661b314cfd6812e8d9

  • SHA256

    f530b8632c088e021b96196b12490d2b6c4e7d2ca04b03a8646cc4a45f8de36c

  • SHA512

    7e5697f22a99f4b1388cc083689b63719c4c0bd4aa88b4c9724952c44ce9bfd677a0cbc916e03ff87b1dc607d89636962dc07a9ee088938ffbc84a0f1da45236

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l0185766832020805.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\l0185766832020805.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LDRDxeRluRmdiB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA28.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4476
    • C:\Users\Admin\AppData\Local\Temp\l0185766832020805.PDF.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:864
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l0185766832020805.PDF.exe.log
    Filesize

    412B

    MD5

    ad1c7f6525cfeb54c0487efd38b0e26c

    SHA1

    ed3da94723ac7e3828a9e93d68418bb810592f3b

    SHA256

    0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276

    SHA512

    48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpBA28.tmp
    Filesize

    1KB

    MD5

    3ca4f19be0084200429be8d945f802e9

    SHA1

    249509714e15247e3560cd62e9ae71a4702936c4

    SHA256

    b55611ca57521d4baa9df1212a32a46afd4b7cd2c98fef5ba05b3c52af06c7fc

    SHA512

    126c57171381b701de610e4fe0ba6ed876cc1c3e1f810753cb45e0fa2b3acaa2e1440730f662b73e1a07a9933f36f1246533576d3f493946125ea67d7eb4d5fe

    Download Submit
  • memory/864-142-0x0000000000000000-mapping.dmp
    Download
  • memory/864-146-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/864-145-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/864-143-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1640-131-0x0000000004DE0000-0x0000000004E7C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1640-132-0x0000000004F20000-0x0000000004FB2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1640-130-0x0000000000020000-0x00000000000D6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/4476-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4812-147-0x0000000000000000-mapping.dmp
    Download
  • memory/4812-148-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/4812-150-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/4812-151-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/5040-135-0x0000000000000000-mapping.dmp
    Download
  • memory/5040-141-0x00000000081A0000-0x0000000008206000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5040-140-0x0000000005100000-0x0000000005156000-memory.dmp
    Filesize

    344KB

    Download
  • memory/5040-139-0x0000000004E10000-0x0000000004E1A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5040-138-0x0000000005480000-0x0000000005A24000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/5040-136-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download