Overview

overview

10

Static

static

3d33eeeee5...46.exe

windows7_x64

10

3d33eeeee5...46.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    183s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-07-2022 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d33eeeee5c2c440509fe4d19b9a59c2e4a718339c500283a78f62b777a45746.exe

  • Size

    1.0MB

  • MD5

    0430cba35d87de27d643d6e7583b1f8a

  • SHA1

    dd860a2adcdd147d85d395ae0df32213118a40ea

  • SHA256

    3d33eeeee5c2c440509fe4d19b9a59c2e4a718339c500283a78f62b777a45746

  • SHA512

    6d512b25b91a6a24d0eb6e16ca5a51a06181c77ea23f90870b26bce4f59166f0ccb933969806ba6eed9ecb365310776f60326a13a1e6cee4f8b74b9ab9824fe8

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 11 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 10 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d33eeeee5c2c440509fe4d19b9a59c2e4a718339c500283a78f62b777a45746.exe
    "C:\Users\Admin\AppData\Local\Temp\3d33eeeee5c2c440509fe4d19b9a59c2e4a718339c500283a78f62b777a45746.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\mLy62Uv\tmjBp.exe
      "C:\Users\Admin\mLy62Uv\tmjBp.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1748
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
            PID:2044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • C:\Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • \Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • \Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • \Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • \Users\Admin\mLy62Uv\tmjBp.exe
      Filesize

      1.3MB

      MD5

      23cfc4dd51a10cfc19c3e26d135e5f3f

      SHA1

      c64c03fb635c7d243d4c4ad2d1dbf23f5871b037

      SHA256

      a2a378c8984d2a3527c0622aad17e98b26154c8b07f146069b9137286cc1d206

      SHA512

      0841ef1ed71bef927cbd5e1fa035c444ecb1ebc76009e6d51b506aeb1655e1e4744767afeafc44a210ca1b8f3a3ad82b63e386d72fd603773ca95a66856b392d

      Download Submit
    • memory/1260-54-0x0000000075F61000-0x0000000075F63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1340-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1472-72-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-84-0x0000000000586000-0x0000000000597000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1472-68-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-69-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-70-0x000000000047EF8E-mapping.dmp
      Download
    • memory/1472-64-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-74-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-76-0x00000000747B0000-0x0000000074D5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1472-77-0x00000000747B0000-0x0000000074D5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1472-95-0x0000000000586000-0x0000000000597000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1472-63-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1472-66-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1748-82-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1748-85-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1748-86-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1748-79-0x0000000000411654-mapping.dmp
      Download
    • memory/1748-78-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2044-87-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2044-88-0x0000000000442628-mapping.dmp
      Download
    • memory/2044-91-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2044-94-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download