Analysis Overview
SHA256
a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae
Threat Level: Known bad
The file a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Uses the VBS compiler for execution
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 02:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 02:43
Reported
2022-06-25 02:55
Platform
win7-20220414-en
Max time kernel
153s
Max time network
46s
Command Line
Signatures
HawkEye Reborn
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1876 set thread context of 1380 | N/A | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe |
| PID 1380 set thread context of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe
"C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JzUsdBx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61A1.tmp"
C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe
"C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp89CA.tmp"
Network
Files
memory/1876-54-0x0000000075371000-0x0000000075373000-memory.dmp
memory/1876-55-0x0000000073E60000-0x000000007440B000-memory.dmp
memory/1876-56-0x0000000073E60000-0x000000007440B000-memory.dmp
memory/1084-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp61A1.tmp
| MD5 | fa368e2205a79e80d2955206bc16778a |
| SHA1 | a6ddb712e8f7f466dc05f6e15c395aeacfc27eb0 |
| SHA256 | 155d24f469d5f86a87438d3221467c5767ab493d0bc1ac5a16fb19d1fa3da5cf |
| SHA512 | ecd8bd61b7da7ce8eaa85a10f0234bebd2ec9bb70374978a3b9c74f98e0db13fee9faeffc5c2412629d32002edd3c6f96c431c14bf78e7ce6db5cae9d7fff4af |
memory/1380-59-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-60-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-62-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-63-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-65-0x000000000048B2BE-mapping.dmp
memory/1876-67-0x0000000073E60000-0x000000007440B000-memory.dmp
memory/1380-68-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-70-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1380-72-0x00000000738B0000-0x0000000073E5B000-memory.dmp
memory/1380-73-0x00000000738B0000-0x0000000073E5B000-memory.dmp
memory/672-74-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-75-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-77-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-79-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-81-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-83-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-84-0x0000000000444D30-mapping.dmp
memory/672-87-0x0000000000400000-0x000000000045C000-memory.dmp
memory/672-88-0x0000000000400000-0x000000000045C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 02:43
Reported
2022-06-25 02:55
Platform
win10v2004-20220414-en
Max time kernel
170s
Max time network
180s
Command Line
Signatures
HawkEye Reborn
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3512 set thread context of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe |
| PID 5020 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 5020 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe
"C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JzUsdBx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5AAE.tmp"
C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe
"C:\Users\Admin\AppData\Local\Temp\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF9BE.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.4:443 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 104.123.41.162:80 | tcp | |
| IE | 20.54.89.106:443 | tcp |
Files
memory/3512-130-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/3512-131-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/2200-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5AAE.tmp
| MD5 | 89e1b93876afb8d6c6fb65ad501996ce |
| SHA1 | 4af031f0393ce14d4a85f39c2af26482bf18b34d |
| SHA256 | 095f724b2c039d55a74acd19ce63430483dda048042de2694c5043e393ccd4d7 |
| SHA512 | 76f93f134542e7928fec923e0398517a84a9e96b2394d7e4f13464256daaf9aadb17b4ac82d21277cdde501a791e2a6bcefdff905d157e0c49c1d37d64089078 |
memory/5020-134-0x0000000000000000-mapping.dmp
memory/5020-135-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a21e896e82b83828c294fbf8fdc1258a375fd935a50ab9c204c12c7f81f2feae.exe.log
| MD5 | bb02d2315b8c3d46390cc8852c350909 |
| SHA1 | c7eb57165fb7be0cec9a282a56449d35a3e39a53 |
| SHA256 | 6b04fbf03b5064dc32c8cbc7e5f125339ca297622487ed4269da381fa50b7290 |
| SHA512 | e395ec8866c9ba864bd59bfb84a88538a053740d66e2fa83926597b2e4b357a55f794c5b39c5ae43353f4debc865ec6b4c60494da32a10e643582b6ae130d080 |
memory/3512-137-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/5020-138-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/5020-139-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/2212-140-0x0000000000000000-mapping.dmp
memory/2212-141-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2212-143-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2212-144-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2212-145-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp
| MD5 | 92b3d04dbcf7aa8eabb0096c55624068 |
| SHA1 | 04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7 |
| SHA256 | 84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c |
| SHA512 | fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1 |
memory/1688-147-0x0000000000000000-mapping.dmp
memory/1688-148-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1688-150-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1688-151-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1688-152-0x0000000000400000-0x000000000041C000-memory.dmp