General
Target

Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

Filesize

1MB

Completed

21-05-2022 18:36

Task

behavioral1

Score
10/10
MD5

cc5e307e68ccb5b363a1d8125e0edfb1

SHA1

0937747b83e0624bec024daadeaf5c7effdbcb36

SHA256

82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5

SHA256

ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815

Malware Config

Extracted

Credentials

Protocol: smtp

Host: outback.websitewelcome.com

Port: 587

Username: sungearmotors@2020weddingeventz2.com

Password: chukwuma12

Signatures 16

Filter: none

Collection
Defense Evasion
Persistence
  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1876-57-0x0000000000400000-0x0000000000488000-memory.dmpMailPassView
    behavioral1/memory/1876-62-0x0000000000480C6E-mapping.dmpMailPassView
    behavioral1/memory/1876-63-0x0000000000400000-0x0000000000488000-memory.dmpMailPassView
    behavioral1/memory/1876-66-0x0000000000400000-0x0000000000488000-memory.dmpMailPassView
    behavioral1/memory/1888-70-0x0000000000411654-mapping.dmpMailPassView
    behavioral1/memory/1888-69-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral1/memory/1888-73-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral1/memory/1888-75-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1876-57-0x0000000000400000-0x0000000000488000-memory.dmpWebBrowserPassView
    behavioral1/memory/1876-62-0x0000000000480C6E-mapping.dmpWebBrowserPassView
    behavioral1/memory/1876-63-0x0000000000400000-0x0000000000488000-memory.dmpWebBrowserPassView
    behavioral1/memory/1876-66-0x0000000000400000-0x0000000000488000-memory.dmpWebBrowserPassView
    behavioral1/memory/672-76-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral1/memory/672-77-0x0000000000442628-mapping.dmpWebBrowserPassView
    behavioral1/memory/672-80-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral1/memory/672-81-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1876-57-0x0000000000400000-0x0000000000488000-memory.dmpNirsoft
    behavioral1/memory/1876-62-0x0000000000480C6E-mapping.dmpNirsoft
    behavioral1/memory/1876-63-0x0000000000400000-0x0000000000488000-memory.dmpNirsoft
    behavioral1/memory/1876-66-0x0000000000400000-0x0000000000488000-memory.dmpNirsoft
    behavioral1/memory/1888-70-0x0000000000411654-mapping.dmpNirsoft
    behavioral1/memory/1888-69-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/1888-73-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/1888-75-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral1/memory/672-76-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral1/memory/672-77-0x0000000000442628-mapping.dmpNirsoft
    behavioral1/memory/672-80-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral1/memory/672-81-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
  • Drops startup file
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FsIso.urlPurchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook accounts
    vbc.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accountsvbc.exe
  • Adds Run key to start application
    MSBuild.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"MSBuild.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    3whatismyipaddress.com
  • Suspicious use of SetThreadContext
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1468 set thread context of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1876 set thread context of 18881876MSBuild.exevbc.exe
    PID 1876 set thread context of 6721876MSBuild.exevbc.exe
  • Suspicious behavior: EnumeratesProcesses
    MSBuild.exe

    Reported IOCs

    pidprocess
    1876MSBuild.exe
  • Suspicious use of AdjustPrivilegeToken
    MSBuild.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1876MSBuild.exe
  • Suspicious use of FindShellTrayWindow
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    pidprocess
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Suspicious use of SendNotifyMessage
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    pidprocess
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Suspicious use of SetWindowsHookEx
    MSBuild.exe

    Reported IOCs

    pidprocess
    1876MSBuild.exe
  • Suspicious use of WriteProcessMemory
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1468 wrote to memory of 18761468Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 18881876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
    PID 1876 wrote to memory of 6721876MSBuild.exevbc.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        Accesses Microsoft Outlook accounts
        PID:1888
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        PID:672
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

                      MD5

                      f3b25701fe362ec84616a93a45ce9998

                      SHA1

                      d62636d8caec13f04e28442a0a6fa1afeb024bbb

                      SHA256

                      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                      SHA512

                      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                    • memory/672-81-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/672-80-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/672-77-0x0000000000442628-mapping.dmp

                    • memory/672-76-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/1468-64-0x0000000003AB0000-0x0000000003BB5000-memory.dmp

                    • memory/1468-65-0x0000000003BC0000-0x0000000003CC5000-memory.dmp

                    • memory/1468-54-0x0000000075371000-0x0000000075373000-memory.dmp

                    • memory/1876-68-0x0000000073DC0000-0x000000007436B000-memory.dmp

                    • memory/1876-66-0x0000000000400000-0x0000000000488000-memory.dmp

                    • memory/1876-57-0x0000000000400000-0x0000000000488000-memory.dmp

                    • memory/1876-55-0x0000000000400000-0x0000000000488000-memory.dmp

                    • memory/1876-74-0x0000000000BC6000-0x0000000000BD7000-memory.dmp

                    • memory/1876-63-0x0000000000400000-0x0000000000488000-memory.dmp

                    • memory/1876-62-0x0000000000480C6E-mapping.dmp

                    • memory/1888-75-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/1888-69-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/1888-73-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/1888-70-0x0000000000411654-mapping.dmp