General
Target

Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

Filesize

1MB

Completed

21-05-2022 18:36

Task

behavioral2

Score
10/10
MD5

cc5e307e68ccb5b363a1d8125e0edfb1

SHA1

0937747b83e0624bec024daadeaf5c7effdbcb36

SHA256

82ffa88d2b058317fcbc1af1c6fe06d7927be41ee28c7473a397f3db42670ca5

SHA256

ac464272963a2208cf7061e22c75d2ae5b9c76ade74cd1c21aeb28690d2d2ccee45c2cfafe09ad588a56a802f438dfc9a56e60792f87e483db727b8286968815

Malware Config

Extracted

Credentials

Protocol: smtp

Host: outback.websitewelcome.com

Port: 587

Username: sungearmotors@2020weddingeventz2.com

Password: chukwuma12

Signatures 16

Filter: none

Collection
Defense Evasion
Persistence
  • HawkEye

    Description

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmpMailPassView
    behavioral2/memory/4200-139-0x0000000000000000-mapping.dmpMailPassView
    behavioral2/memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral2/memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
    behavioral2/memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmpMailPassView
  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmpWebBrowserPassView
    behavioral2/memory/3792-144-0x0000000000000000-mapping.dmpWebBrowserPassView
    behavioral2/memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral2/memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
    behavioral2/memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmpWebBrowserPassView
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmpNirsoft
    behavioral2/memory/4200-139-0x0000000000000000-mapping.dmpNirsoft
    behavioral2/memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmpNirsoft
    behavioral2/memory/3792-144-0x0000000000000000-mapping.dmpNirsoft
    behavioral2/memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral2/memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
    behavioral2/memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmpNirsoft
  • Drops startup file
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FsIso.urlPurchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook accounts
    vbc.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accountsvbc.exe
  • Adds Run key to start application
    MSBuild.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"MSBuild.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    11whatismyipaddress.com
    13whatismyipaddress.com
  • Suspicious use of SetThreadContext
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1088 set thread context of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 2108 set thread context of 42002108MSBuild.exevbc.exe
    PID 2108 set thread context of 37922108MSBuild.exevbc.exe
  • Suspicious behavior: EnumeratesProcesses
    vbc.exeMSBuild.exe

    Reported IOCs

    pidprocess
    3792vbc.exe
    3792vbc.exe
    2108MSBuild.exe
  • Suspicious use of AdjustPrivilegeToken
    MSBuild.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2108MSBuild.exe
  • Suspicious use of FindShellTrayWindow
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    pidprocess
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Suspicious use of SendNotifyMessage
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe

    Reported IOCs

    pidprocess
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    1088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
  • Suspicious use of SetWindowsHookEx
    MSBuild.exe

    Reported IOCs

    pidprocess
    2108MSBuild.exe
  • Suspicious use of WriteProcessMemory
    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1088 wrote to memory of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1088 wrote to memory of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1088 wrote to memory of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1088 wrote to memory of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 1088 wrote to memory of 21081088Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exeMSBuild.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 42002108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
    PID 2108 wrote to memory of 37922108MSBuild.exevbc.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        Accesses Microsoft Outlook accounts
        PID:4200
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        Suspicious behavior: EnumeratesProcesses
        PID:3792
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

                      MD5

                      f94dc819ca773f1e3cb27abbc9e7fa27

                      SHA1

                      9a7700efadc5ea09ab288544ef1e3cd876255086

                      SHA256

                      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                      SHA512

                      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                    • memory/1088-131-0x0000000005420000-0x0000000005525000-memory.dmp

                    • memory/1088-130-0x0000000005530000-0x0000000005635000-memory.dmp

                    • memory/2108-133-0x0000000000600000-0x0000000000688000-memory.dmp

                    • memory/2108-138-0x00000000754F0000-0x0000000075AA1000-memory.dmp

                    • memory/2108-132-0x0000000000000000-mapping.dmp

                    • memory/3792-147-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/3792-148-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/3792-144-0x0000000000000000-mapping.dmp

                    • memory/3792-145-0x0000000000400000-0x0000000000458000-memory.dmp

                    • memory/4200-143-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/4200-139-0x0000000000000000-mapping.dmp

                    • memory/4200-140-0x0000000000400000-0x000000000041B000-memory.dmp

                    • memory/4200-142-0x0000000000400000-0x000000000041B000-memory.dmp