Analysis Overview
SHA256
facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e
Threat Level: Known bad
The file facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
NirSoft WebBrowserPassView
Nirsoft
NirSoft MailPassView
Checks computer location settings
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 02:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 02:42
Reported
2022-06-25 02:52
Platform
win7-20220414-en
Max time kernel
188s
Max time network
47s
Command Line
Signatures
HawkEye Reborn
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1928 set thread context of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe |
| PID 1396 set thread context of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe
"C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LfbKzuBPos" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5CE.tmp"
C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe
"C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBFA8.tmp"
Network
Files
memory/1928-54-0x0000000075361000-0x0000000075363000-memory.dmp
memory/1928-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1928-56-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/952-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE5CE.tmp
| MD5 | dcc760d3f067584c13654a29fb94de7f |
| SHA1 | bf1b040997097d7ed04d5fa755da9c7e1fc963ff |
| SHA256 | b75318381ff7a0662cf3c52be7d57bd6efd75de6e3347519fb26d685074a47da |
| SHA512 | d281e14f4c697069d26363e93b7c49675b8d8e8292975033622b3a32deb5df541b06a38e1b35b496b7c38fe154d039038096c92beda56d3b41e4020393e105d4 |
memory/1396-63-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-69-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-67-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-65-0x000000000048B2BE-mapping.dmp
memory/1396-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-62-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-60-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1396-59-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1928-71-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1396-72-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1396-73-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/956-74-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-81-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-87-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-84-0x0000000000444D30-mapping.dmp
memory/956-88-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-83-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-79-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-77-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-75-0x0000000000400000-0x000000000045C000-memory.dmp
memory/956-89-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBFA8.tmp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 02:42
Reported
2022-06-25 02:52
Platform
win10v2004-20220414-en
Max time kernel
190s
Max time network
199s
Command Line
Signatures
HawkEye Reborn
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2776 set thread context of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe |
| PID 4252 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 4252 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe
"C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LfbKzuBPos" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp"
C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe
"C:\Users\Admin\AppData\Local\Temp\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8018.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA2C4.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/2776-130-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/2776-131-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/1172-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp
| MD5 | a7cea3c48c4b6165f7ccdaaf6c711359 |
| SHA1 | 41ebdafa7e726e55c2c9486ec8cb10222c00aca8 |
| SHA256 | 6ea2f11ded53948f070b11679a1f720330c724caaa930745b028c51e170f934b |
| SHA512 | b2e4f1104c712e30669bea0332fb2583c0217fb66f4653f99aab0df6d76c3588051ef94cf254de4342ec6f4f52dd5239f76c186c68cc18431403bef32b00753a |
memory/4252-134-0x0000000000000000-mapping.dmp
memory/4252-135-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\facf1d25162e381b5a0520ac954c19fa5cdf3f557e29eacb044dcb88a3d9f84e.exe.log
| MD5 | 2da5d49e592515901f6adb84aa66860d |
| SHA1 | 37017ffa66b85c8e1d00fa426733caad0887cf61 |
| SHA256 | b147333035afc91552bb35c2c97a15496204b134877672a18cb1987d2d8d762d |
| SHA512 | 6151e54e7efcb14d4b7842b9860438e1cd77036b2e61a72025ff204d35e1181130a0d9522f2ff92f3e960d55e6dda95bbadff0aa5e0799bb51c11316e89c9dca |
memory/2776-137-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/4252-138-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/4252-139-0x00000000748F0000-0x0000000074EA1000-memory.dmp
memory/1828-140-0x0000000000000000-mapping.dmp
memory/1828-141-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1828-143-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1828-144-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1828-145-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2672-148-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2672-147-0x0000000000000000-mapping.dmp
memory/2672-150-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8018.tmp
| MD5 | 92b3d04dbcf7aa8eabb0096c55624068 |
| SHA1 | 04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7 |
| SHA256 | 84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c |
| SHA512 | fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1 |
memory/2672-151-0x0000000000400000-0x000000000041C000-memory.dmp