Analysis

  • max time kernel
    111s
  • max time network
    114s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:33

General

  • Target

    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

  • Size

    1MB

  • MD5

    cc5e307e68ccb5b363a1d8125e0edfb1

  • SHA1

    0937747b83e0624bec024daadeaf5c7effdbcb36

  • SHA256

    82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5

  • SHA512

    ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    outback.websitewelcome.com
  • Port:
    587
  • Username:
    sungearmotors@2020weddingeventz2.com
  • Password:
    chukwuma12

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 8 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1888
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:672

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Collection

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/672-81-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/672-80-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/672-77-0x0000000000442628-mapping.dmp
    • memory/672-76-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1468-54-0x0000000075371000-0x0000000075373000-memory.dmp
      Filesize

      8KB

    • memory/1468-64-0x0000000003AB0000-0x0000000003BB5000-memory.dmp
      Filesize

      1MB

    • memory/1468-65-0x0000000003BC0000-0x0000000003CC5000-memory.dmp
      Filesize

      1MB

    • memory/1876-68-0x0000000073DC0000-0x000000007436B000-memory.dmp
      Filesize

      5MB

    • memory/1876-74-0x0000000000BC6000-0x0000000000BD7000-memory.dmp
      Filesize

      68KB

    • memory/1876-66-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

    • memory/1876-63-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

    • memory/1876-62-0x0000000000480C6E-mapping.dmp
    • memory/1876-57-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

    • memory/1876-55-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

    • memory/1888-70-0x0000000000411654-mapping.dmp
    • memory/1888-69-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/1888-73-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/1888-75-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB