Overview

overview

10

Static

static

358a233c1c...53.exe

windows7_x64

9

358a233c1c...53.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-06-2022 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe

  • Size

    680KB

  • MD5

    1313e10274a1ac0bd8535ac0f203107c

  • SHA1

    0bb5259476cf3cd5ffd55e8f88b9bf56c8bda332

  • SHA256

    358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153

  • SHA512

    8d926bf24c858667fafe394d6a5128f10b869196fc212a88e7b9e500ff7ec3b753913feb605c3c9d50a5abd1727e880760a8d8f2d2e0dfc17134701c67c9579f

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 8 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe
    "C:\Users\Admin\AppData\Local\Temp\358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\horn" /XML "C:\Users\Admin\AppData\Local\Temp\z159"
      2⤵
      • Creates scheduled task(s)
      PID:260
    • C:\Users\Admin\AppData\Local\Temp\358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe
      "C:\Users\Admin\AppData\Local\Temp\358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\bear" /XML "C:\Users\Admin\AppData\Local\Temp\z236"
        3⤵
        • Creates scheduled task(s)
        PID:2060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:4844
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\358a233c1c093764cd0430f809b957e85b7b168c1b1a651ad542e5ae274bf153.exe.log
    Filesize

    319B

    MD5

    da4fafeffe21b7cb3a8c170ca7911976

    SHA1

    50ef77e2451ab60f93f4db88325b897d215be5ad

    SHA256

    7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

    SHA512

    0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\z159
    Filesize

    1KB

    MD5

    9b612885e96edec846b8850b19858a38

    SHA1

    ba9a8583327144d31c7d3fbe3ecfaeb9ddef2eea

    SHA256

    e806daa4d8444c7bbd9449dcf4853b183be06087cbaec71b93e89e62b150ffef

    SHA512

    283210e4da4bc33d0f9c50341c7d2c7f897f2cc3cd27779afe5d68685dab88d254938c62ffee953aa411caab790ab06055726926c06d39a0ed07c24feee50546

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\z236
    Filesize

    1KB

    MD5

    77ce94f61d2be89aa383fb8d07180e6d

    SHA1

    93c34a2f346d4491bbeebd024de2beec59a25bde

    SHA256

    bb04f7d549e61fe277105de53e8dca39f1dd9cdf3b167a2a32269d7da3483111

    SHA512

    d44728dff2a98645445bc86d9b266cbdab06dd9a85b98c808e3ad271d31d770245b177e648fae8d24c594da5f7d7171b4c091f35ac4325e7eab962e06de1cc7b

    Download Submit
  • memory/260-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-146-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1076-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-152-0x0000000075560000-0x0000000075B11000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1076-151-0x0000000075560000-0x0000000075B11000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1076-148-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1076-147-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/2060-143-0x0000000000000000-mapping.dmp
    Download
  • memory/2528-158-0x0000000000000000-mapping.dmp
    Download
  • memory/2528-159-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2528-164-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2528-162-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2528-161-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/3320-150-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3320-140-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3320-135-0x0000000000600000-0x000000000069C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3320-137-0x0000000000600000-0x000000000069C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3320-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3320-142-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3996-141-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3996-131-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3996-130-0x0000000075570000-0x0000000075B21000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4844-153-0x0000000000000000-mapping.dmp
    Download
  • memory/4844-154-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4844-156-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4844-157-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download