hawkeye | 3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0

General

Target

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
Size

1.1MB
MD5

93e14e7f69673f008a2cec126e19ea60
SHA1

dd753748784deb2b9a09ab3892521878a655a237
SHA256

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0
SHA512

0c0b92446c0a52ddd47459de4d34e2c402a18f34aa0e67de2cc49e9245df4c06d27d704918aed34d203945e8fc6761fbd6e32ed549eec99c162d1f57cd4194d1

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
longwheelbase2018@yandex.com
Password:
success

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1960-67-0x0000000000480000-0x0000000000510000-memory.dmp	MailPassView
behavioral1/memory/1908-75-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1908-76-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1908-79-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1908-80-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1908-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1960-67-0x0000000000480000-0x0000000000510000-memory.dmp	WebBrowserPassView
behavioral1/memory/676-83-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/676-82-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/676-86-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/676-87-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/676-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-67-0x0000000000480000-0x0000000000510000-memory.dmp	Nirsoft
behavioral1/memory/1908-75-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1908-76-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1908-79-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1908-80-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1908-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/676-83-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/676-82-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/676-86-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/676-87-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/676-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description	pid	process	target process
PID 1588 set thread context of 1960	1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
PID 1960 set thread context of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 set thread context of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

pid process

1960 3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description pid process

Token: SeDebugPrivilege 1960 3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

pid	process
1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description	pid	process
Token: SeDebugPrivilege	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

pid	process
1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

pid process

1960 3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

pid	process
1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe

description	pid	process	target process
PID 1588 wrote to memory of 1960	1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
PID 1588 wrote to memory of 1960	1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
PID 1588 wrote to memory of 1960	1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
PID 1588 wrote to memory of 1960	1588	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 1908	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe
PID 1960 wrote to memory of 676	1960	3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
"C:\Users\Admin\AppData\Local\Temp\3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe
C:\Users\Admin\AppData\Local\Temp\3097002f3918903a6b3542660d8a8521e498f1638b0ec236969ba6ccf3718cb0.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/676-83-0x0000000000442628-mapping.dmp

Download
memory/676-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/676-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/676-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/676-82-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1588-59-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1588-57-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/1908-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-76-0x0000000000411654-mapping.dmp

Download
memory/1960-67-0x0000000000480000-0x0000000000510000-memory.dmp

Filesize
576KB

Download
memory/1960-74-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-73-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1960-72-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-71-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1960-70-0x0000000077240000-0x00000000773C0000-memory.dmp

Filesize
1.5MB

Download
memory/1960-69-0x0000000008C70000-0x0000000008DF8000-memory.dmp

Filesize
1.5MB

Download
memory/1960-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1960-58-0x000000000049A910-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads