Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 13:51
General
-
Target
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
-
Size
502KB
-
MD5
3d04655fff9858e8791c55ae2044a960
-
SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c
-
SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
-
SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
-
Nirsoft 11 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5bba5457bf72a9f14ca56634a6511ddcf
SHA1930142b04d92f0f3db50b109f02c77e614462fab
SHA25679507aafe39ec8c4b95d8023c542c3e22ad7d349c026cdf47620e5b4c80eb1eb
SHA512b1889ac5ce52095e9427d5d409c88e2e14edbed1ae2e5bc4edc54b4e3fe60d0f7b54a88abc447ad09158560dafc57b7fa61221492b5b462132a3f05074e2c656
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
memory/1836-144-0x0000000000000000-mapping.dmp
-
memory/1836-150-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-148-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-147-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1836-145-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1916-140-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-142-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1916-139-0x0000000000000000-mapping.dmp
-
memory/2128-132-0x0000000000000000-mapping.dmp
-
memory/2128-137-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/2128-136-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-130-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-131-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3100-135-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB