hawkeye | 2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578

General

Target

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Size

1.0MB
MD5

19e9776e8c45eab003baa27408b46c0c
SHA1

1b785eb0188d4be4ad90d9ddcd7fc309f9d841da
SHA256

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578
SHA512

b9c002b77d3e9d8d1cef4efb69d3594bf8089a315602a626f482aa7512ffbb35301004e43d2777fc6b631c53158fc4fa9c17126e5300a17c64a8845f70b96667

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView
behavioral2/memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral2/memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft
behavioral2/memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 checkip.dyndns.org

flow	ioc
31	checkip.dyndns.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

description	pid	process	target process
PID 1628 set thread context of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 5024 set thread context of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 set thread context of 3456	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1908 timeout.exe

pid	process
1908	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exevbc.exeAcroRd32.exeAdobeARM.exe

pid	process
1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
3456	vbc.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
3912	AdobeARM.exe
3912	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

description	pid	process
Token: SeDebugPrivilege	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Token: 33	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Token: SeIncBasePriorityPrivilege	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
Token: SeDebugPrivilege	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exeAcroRd32.exeAdobeARM.exe

pid	process
5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
1836	AcroRd32.exe
3912	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.execmd.execmd.exe2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1628 wrote to memory of 4376	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 1628 wrote to memory of 4376	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 1628 wrote to memory of 4376	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 4376 wrote to memory of 2828	4376	cmd.exe	reg.exe
PID 4376 wrote to memory of 2828	4376	cmd.exe	reg.exe
PID 4376 wrote to memory of 2828	4376	cmd.exe	reg.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5024	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
PID 1628 wrote to memory of 5080	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 1628 wrote to memory of 5080	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 1628 wrote to memory of 5080	1628	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	cmd.exe
PID 5080 wrote to memory of 1908	5080	cmd.exe	timeout.exe
PID 5080 wrote to memory of 1908	5080	cmd.exe	timeout.exe
PID 5080 wrote to memory of 1908	5080	cmd.exe	timeout.exe
PID 5024 wrote to memory of 1836	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	AcroRd32.exe
PID 5024 wrote to memory of 1836	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	AcroRd32.exe
PID 5024 wrote to memory of 1836	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	AcroRd32.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 5024 wrote to memory of 2504	5024	2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe	vbc.exe
PID 1836 wrote to memory of 2552	1836	AcroRd32.exe	RdrCEF.exe
PID 1836 wrote to memory of 2552	1836	AcroRd32.exe	RdrCEF.exe
PID 1836 wrote to memory of 2552	1836	AcroRd32.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe
PID 2552 wrote to memory of 5088	2552	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
"C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe" /f
3⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe
"C:\Users\Admin\AppData\Local\Temp\2e6b3018540b49803e4620aad0605775a5ffc765829418a12c6ffa7214d9d578.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A14FFE76EA49E5289EF03D141C74FAA4 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:5088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=61309817D46E80F6B7F8B8363AF7C74E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=61309817D46E80F6B7F8B8363AF7C74E --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A79FB215D611CC8A128D39A24A7C0D21 --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4624

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7B60E481C960047AFCD9098091C501A0 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9851A2CEE96C360B72C538EECC6C11A --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2136

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:2504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.txt
Filesize
3KB

MD5
b9daf88205e7429feaceda806bd561d2

SHA1
1893c80e74cfea9914343c6e4213393804a92dd1

SHA256
efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027

SHA512
649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1

Download Submit
memory/1408-173-0x0000000000000000-mapping.dmp

Download
memory/1628-139-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1628-130-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1628-140-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1836-142-0x0000000000000000-mapping.dmp

Download
memory/1908-137-0x0000000000000000-mapping.dmp

Download
memory/2136-164-0x0000000000000000-mapping.dmp

Download
memory/2504-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-143-0x0000000000000000-mapping.dmp

Download
memory/2504-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-148-0x0000000000000000-mapping.dmp

Download
memory/2828-132-0x0000000000000000-mapping.dmp

Download
memory/3396-153-0x0000000000000000-mapping.dmp

Download
memory/3456-169-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3456-166-0x0000000000000000-mapping.dmp

Download
memory/3456-171-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3456-167-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3856-161-0x0000000000000000-mapping.dmp

Download
memory/3912-172-0x0000000000000000-mapping.dmp

Download
memory/4376-131-0x0000000000000000-mapping.dmp

Download
memory/4624-158-0x0000000000000000-mapping.dmp

Download
memory/5024-133-0x0000000000000000-mapping.dmp

Download
memory/5024-138-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/5024-141-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/5024-134-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5080-135-0x0000000000000000-mapping.dmp

Download
memory/5088-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads