Overview

overview

10

Static

static

order.exe

windows7_x64

10

order.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.exe

  • Size

    713KB

  • MD5

    0b6d5d917fd841fc0ccb900d1d0817d2

  • SHA1

    fe706ce3530b8be18f49a195c621dfc77b4f2fce

  • SHA256

    01c7dd686988aded4a1730159eaaa2f4ecfb9f53dc93a3f9ba0503b7698aa454

  • SHA512

    b83f7d278553e06903bbc798cfbea3d671b86756a04d2562db33da3e406f7124c1e3862a0286c9406ada254e8e173af428d8364296d309db55689121ac9a50a1

Score
10/10
hawkeyecollectionevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order.exe
    "C:\Users\Admin\AppData\Local\Temp\order.exe"
    1⤵
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HtyuqY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB21E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4452
    • C:\Users\Admin\AppData\Local\Temp\order.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4104
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2784
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 2192
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\order.exe.log
    Filesize

    496B

    MD5

    cb76b18ebed3a9f05a14aed43d35fba6

    SHA1

    836a4b4e351846fca08b84149cb734cb59b8c0d6

    SHA256

    8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

    SHA512

    7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpB21E.tmp
    Filesize

    1KB

    MD5

    5ca4cf74ade568d749b65893c7d6e3e1

    SHA1

    b0ca5a899a885bfb975f5f50e1694f9aeec5fac7

    SHA256

    37760a11a46daf1168105cb77b5f53e7263e4ba249cdd485f65a71554b96772f

    SHA512

    d7b1e88a96ed0a657215388548ae9b48d9c8832725658a24e119a2e0b1d682752a8121f3190770840fbb3240f3443d71d3b00bd79e75fc9169fa95c423129627

    Download Submit
  • memory/548-153-0x0000000074CD0000-0x0000000075281000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/548-151-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/548-150-0x0000000000000000-mapping.dmp
    Download
  • memory/688-146-0x0000000007560000-0x000000000757A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/688-136-0x00000000058E0000-0x0000000005946000-memory.dmp
    Filesize

    408KB

    Download
  • memory/688-138-0x00000000064E0000-0x0000000006512000-memory.dmp
    Filesize

    200KB

    Download
  • memory/688-139-0x000000006E9F0000-0x000000006EA3C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/688-140-0x00000000064C0000-0x00000000064DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/688-141-0x0000000007870000-0x0000000007EEA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/688-142-0x0000000007220000-0x000000000723A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/688-143-0x0000000007290000-0x000000000729A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/688-144-0x00000000074A0000-0x0000000007536000-memory.dmp
    Filesize

    600KB

    Download
  • memory/688-145-0x0000000007450000-0x000000000745E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/688-131-0x0000000000000000-mapping.dmp
    Download
  • memory/688-147-0x0000000007540000-0x0000000007548000-memory.dmp
    Filesize

    32KB

    Download
  • memory/688-132-0x0000000002610000-0x0000000002646000-memory.dmp
    Filesize

    216KB

    Download
  • memory/688-137-0x0000000005F10000-0x0000000005F2E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/688-135-0x0000000005840000-0x00000000058A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/688-134-0x0000000004F70000-0x0000000004F92000-memory.dmp
    Filesize

    136KB

    Download
  • memory/688-133-0x0000000005160000-0x0000000005788000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2784-159-0x0000000000000000-mapping.dmp
    Download
  • memory/2784-160-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2784-162-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2784-163-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/4104-154-0x0000000000000000-mapping.dmp
    Download
  • memory/4104-155-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4104-157-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4104-158-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4120-130-0x0000000074CD0000-0x0000000075281000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4452-148-0x0000000000000000-mapping.dmp
    Download
  • memory/4984-165-0x0000000000000000-mapping.dmp
    Download