Analysis Overview
SHA256
770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57
Threat Level: Known bad
The file 770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57 was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
HawkEye Reborn
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-30 23:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-30 23:56
Reported
2022-07-01 00:04
Platform
win10v2004-20220414-en
Max time kernel
130s
Max time network
162s
Command Line
Signatures
HawkEye Reborn
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3588 set thread context of 896 | N/A | C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe
"C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pjqrYpJgQLXgXQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9F5.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| NL | 104.123.41.162:80 | tcp | |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/3588-130-0x0000000000840000-0x00000000008F6000-memory.dmp
memory/3588-131-0x0000000005810000-0x0000000005DB4000-memory.dmp
memory/3588-132-0x0000000005300000-0x0000000005392000-memory.dmp
memory/3588-133-0x00000000052B0000-0x00000000052BA000-memory.dmp
memory/3588-134-0x00000000055E0000-0x000000000567C000-memory.dmp
memory/3588-135-0x0000000007E70000-0x0000000007ED6000-memory.dmp
memory/3144-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD9F5.tmp
| MD5 | 4c6f59837ec458bad2c69ea7627b8859 |
| SHA1 | a631f41b159901dffeedac7207ab8d92964ca069 |
| SHA256 | 9da58f451811f374783780dfd7ea3d58db7afd9afef9ed99101c7a0c6020aa92 |
| SHA512 | 7180702fdf2a33075270a5687c4c12c74bc5aed3c89e9e6951b20813d76babd30764ef2608f92d90aebb216542d047b7f76d355a7cfd28de06d8785115760c72 |
memory/896-138-0x0000000000000000-mapping.dmp
memory/896-140-0x0000000000700000-0x0000000000790000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-30 23:56
Reported
2022-07-01 00:04
Platform
win7-20220414-en
Max time kernel
80s
Max time network
85s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HawkEye Reborn
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe
"C:\Users\Admin\AppData\Local\Temp\770fd00625874488e0289b1e8eaa76c99cc2146ebd71d26cb9c5de3e03b94f57.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pjqrYpJgQLXgXQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1948-54-0x0000000001180000-0x0000000001236000-memory.dmp
memory/1948-55-0x0000000076571000-0x0000000076573000-memory.dmp
memory/1948-56-0x00000000004D0000-0x00000000004D8000-memory.dmp
memory/1948-57-0x0000000005270000-0x000000000530A000-memory.dmp
memory/1160-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp
| MD5 | 936897d694b86b5eee190bca0c6f8dd1 |
| SHA1 | 340a733687bc52f64161d98a6c35da65bd3a3412 |
| SHA256 | b318aab0558e2d7879109c5d68495b7c91977c25b9af086f449360436e558d69 |
| SHA512 | 7589014931a795360a4b341db9a012d0413732a524b94643e0dc3a5c61b4cae7fdd0dfc7ff73536ea23bb171503f6b2309997244c9523b3c8741cfca821febe0 |
memory/1948-60-0x0000000000DA0000-0x0000000000DAA000-memory.dmp
memory/1764-61-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-62-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-65-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-66-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-67-0x000000000048B2BE-mapping.dmp
memory/1764-69-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-71-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1764-72-0x0000000004180000-0x00000000041F6000-memory.dmp