Overview

overview

10

Static

static

f9101503ea...f1.exe

windows7_x64

10

f9101503ea...f1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    191s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9101503ea60a51ed3b8a8ac0281a28dda3aa268ed2ce37621492c1cd98144f1.exe

  • Size

    1.6MB

  • MD5

    c0667a36058e6659ea95f3f6250d8888

  • SHA1

    39c3f6d43bd64566e06c9c2f35dbc9ccbb4a33db

  • SHA256

    f9101503ea60a51ed3b8a8ac0281a28dda3aa268ed2ce37621492c1cd98144f1

  • SHA512

    a9a59e1487b8958d582f7c7e049ad7874329d2a9844797487f44f128a2247a67df1e86d5d1b7feadfe3af2df3a00927d0607126f378481eccb57f01509112062

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9101503ea60a51ed3b8a8ac0281a28dda3aa268ed2ce37621492c1cd98144f1.exe
    "C:\Users\Admin\AppData\Local\Temp\f9101503ea60a51ed3b8a8ac0281a28dda3aa268ed2ce37621492c1cd98144f1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92945650\wukuih.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Local\Temp\92945650\xndcummebt.exe
        "C:\Users\Admin\AppData\Local\Temp\92945650\xndcummebt.exe" cung.ktl
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1552
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:2900
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            5⤵
              PID:1952

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\92945650\cung.ktl
      Filesize

      251.6MB

      MD5

      1dd75cb84874aa24d5c03258080c6c57

      SHA1

      d951970a3f18ac58474cfdf95991acf686bb5221

      SHA256

      a9845d6ecb9eb504bf95c541933626834845153ca1cd1e9e77bd6122dfa419ec

      SHA512

      ce0693535e4f8006934b77f22966e14d16224f06d787403c1ee3c7dabfebae9d28c32cab78cdfa4238df57b41c8724ac758b902707960613056e04b12b37793c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\92945650\nuqmfae.mp3
      Filesize

      1.1MB

      MD5

      00a729b8b6773ffcd4b82336e60fa739

      SHA1

      f6c3229e8cea70cb14e3223b5af83ff75e480bfb

      SHA256

      ac0c0b2cf2afbd1fe759630a20945fe0bc1acd4841b759972c55a0e39a8b92d1

      SHA512

      1a0ec08c4f5a2c888a9e87e32d31bec235b6f38dc4f06e59b7125b9e8dca4f3495343fed71ff7de8d89714cef2514b4f20845c232ad12f952eb399ba2fd62af6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\92945650\wukuih.vbe
      Filesize

      28KB

      MD5

      0ce06d3c0ee00a09d05b5675ad1a27c2

      SHA1

      55d3281fd8ca4f49c688715342006d4818614e04

      SHA256

      5e4fe7361ca5cebcfb4a5c9ac985b3d3a92ce2f032011b5b1ca7214570a6c20e

      SHA512

      90b227af9bab2e1f19f3b76b76111d2ebcd7fdcbcd06c069e04fa7508ad57ee1787167b5c33dc5bb42f43cb8e522f618ba84ff2978c0d13bb15aa8a6142db111

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\92945650\xndcummebt.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\92945650\xndcummebt.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      3KB

      MD5

      f94dc819ca773f1e3cb27abbc9e7fa27

      SHA1

      9a7700efadc5ea09ab288544ef1e3cd876255086

      SHA256

      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

      SHA512

      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

      Download Submit
    • memory/1552-142-0x000000000BB60000-0x000000000BBF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1552-145-0x000000000EE80000-0x000000000EEE6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1552-138-0x0000000000782F9E-mapping.dmp
      Download
    • memory/1552-139-0x0000000000700000-0x0000000000788000-memory.dmp
      Filesize

      544KB

      Download
    • memory/1552-140-0x000000000B990000-0x000000000BA2C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1552-141-0x000000000C070000-0x000000000C614000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1552-137-0x0000000000700000-0x0000000001700000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/1552-143-0x000000000BA40000-0x000000000BA4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1552-144-0x000000000BAC0000-0x000000000BB16000-memory.dmp
      Filesize

      344KB

      Download
    • memory/1952-151-0x0000000000000000-mapping.dmp
      Download
    • memory/1952-152-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1952-154-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1952-155-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2900-147-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2900-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2900-149-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2900-150-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4236-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4652-130-0x0000000000000000-mapping.dmp
      Download