hawkeye | 4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Size

599KB
MD5

fc749757fb4f8b8f4ba51ccd2e24d83e
SHA1

8e822fb513966cdddeab856cc865bd54e90acf2e
SHA256

4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da
SHA512

ea0f927225cf27efd14baf59438516e89f1e5307a9a31fbe266f4b285ecd81b8106d85600595e7f684f2493156341106140a0f9442140beee7dbeb6700d2a273

Score

10^/10

hawkeye collection discovery keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.grefas.co.th
Port:
587
Username:
[email protected]
Password:
Cream3040

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata: ET MALWARE Generic -POST To file.php w/Extended ASCII Characters
suricata
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
suricata

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	MailPassView
behavioral2/memory/4976-145-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	WebBrowserPassView
behavioral2/memory/4340-151-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe	Nirsoft
behavioral2/memory/4976-145-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4340-151-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

cse.sfx.execse.exeEBFile_1.exeebybomuvyz.exe

pid process

4584 cse.sfx.exe
4168 cse.exe
2480 EBFile_1.exe
832 ebybomuvyz.exe

pid	process
4584	cse.sfx.exe
4168	cse.exe
2480	EBFile_1.exe
832	ebybomuvyz.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execse.sfx.execse.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cse.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cse.exe

Loads dropped DLL 4 IoCs

Processes:

EBFile_1.exeebybomuvyz.exe

pid process

2480 EBFile_1.exe
2480 EBFile_1.exe
832 ebybomuvyz.exe
832 ebybomuvyz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2480	EBFile_1.exe
2480	EBFile_1.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ebybomuvyz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	ebybomuvyz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run	ebybomuvyz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nyonhozo = "C:\\Users\\Admin\\AppData\\Roaming\\Niykekuliwq\\ebybomuvyz.exe"	ebybomuvyz.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 whatismyipaddress.com

flow	ioc
31	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

cse.exeEBFile_1.exe

description	pid	process	target process
PID 4168 set thread context of 4976	4168	cse.exe	vbc.exe
PID 4168 set thread context of 4340	4168	cse.exe	vbc.exe
PID 2480 set thread context of 1964	2480	EBFile_1.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Privacy	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

cse.exeEBFile_1.exevbc.exeebybomuvyz.exe

pid	process
4168	cse.exe
2480	EBFile_1.exe
2480	EBFile_1.exe
4340	vbc.exe
4340	vbc.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe
832	ebybomuvyz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cse.exeEBFile_1.exe4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execmd.execse.sfx.exeebybomuvyz.execmd.exe

description	pid	process
Token: SeDebugPrivilege	4168	cse.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	992	cmd.exe
Token: SeSecurityPrivilege	992	cmd.exe
Token: SeSecurityPrivilege	4584	cse.sfx.exe
Token: SeSecurityPrivilege	4584	cse.sfx.exe
Token: SeSecurityPrivilege	4168	cse.exe
Token: SeSecurityPrivilege	4168	cse.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	2480	EBFile_1.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
Token: SeSecurityPrivilege	1964	cmd.exe
Token: SeSecurityPrivilege	1964	cmd.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe
Token: SeSecurityPrivilege	832	ebybomuvyz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cse.exe

pid process

4168 cse.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.execmd.execse.sfx.execse.exeEBFile_1.exeebybomuvyz.exe

description	pid	process	target process
PID 1436 wrote to memory of 992	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe	cmd.exe
PID 1436 wrote to memory of 992	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe	cmd.exe
PID 1436 wrote to memory of 992	1436	4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe	cmd.exe
PID 992 wrote to memory of 4584	992	cmd.exe	cse.sfx.exe
PID 992 wrote to memory of 4584	992	cmd.exe	cse.sfx.exe
PID 992 wrote to memory of 4584	992	cmd.exe	cse.sfx.exe
PID 4584 wrote to memory of 4168	4584	cse.sfx.exe	cse.exe
PID 4584 wrote to memory of 4168	4584	cse.sfx.exe	cse.exe
PID 4584 wrote to memory of 4168	4584	cse.sfx.exe	cse.exe
PID 4168 wrote to memory of 2480	4168	cse.exe	EBFile_1.exe
PID 4168 wrote to memory of 2480	4168	cse.exe	EBFile_1.exe
PID 4168 wrote to memory of 2480	4168	cse.exe	EBFile_1.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4976	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 4168 wrote to memory of 4340	4168	cse.exe	vbc.exe
PID 2480 wrote to memory of 832	2480	EBFile_1.exe	ebybomuvyz.exe
PID 2480 wrote to memory of 832	2480	EBFile_1.exe	ebybomuvyz.exe
PID 2480 wrote to memory of 832	2480	EBFile_1.exe	ebybomuvyz.exe
PID 832 wrote to memory of 2700	832	ebybomuvyz.exe	sihost.exe
PID 832 wrote to memory of 2700	832	ebybomuvyz.exe	sihost.exe
PID 832 wrote to memory of 2700	832	ebybomuvyz.exe	sihost.exe
PID 832 wrote to memory of 2700	832	ebybomuvyz.exe	sihost.exe
PID 832 wrote to memory of 2700	832	ebybomuvyz.exe	sihost.exe
PID 832 wrote to memory of 2732	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 2732	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 2732	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 2732	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 2732	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 2824	832	ebybomuvyz.exe	taskhostw.exe
PID 832 wrote to memory of 2824	832	ebybomuvyz.exe	taskhostw.exe
PID 832 wrote to memory of 2824	832	ebybomuvyz.exe	taskhostw.exe
PID 832 wrote to memory of 2824	832	ebybomuvyz.exe	taskhostw.exe
PID 832 wrote to memory of 2824	832	ebybomuvyz.exe	taskhostw.exe
PID 832 wrote to memory of 3272	832	ebybomuvyz.exe	Explorer.EXE
PID 832 wrote to memory of 3272	832	ebybomuvyz.exe	Explorer.EXE
PID 832 wrote to memory of 3272	832	ebybomuvyz.exe	Explorer.EXE
PID 832 wrote to memory of 3272	832	ebybomuvyz.exe	Explorer.EXE
PID 832 wrote to memory of 3272	832	ebybomuvyz.exe	Explorer.EXE
PID 832 wrote to memory of 3372	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 3372	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 3372	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 3372	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 3372	832	ebybomuvyz.exe	svchost.exe
PID 832 wrote to memory of 3560	832	ebybomuvyz.exe	DllHost.exe
PID 832 wrote to memory of 3560	832	ebybomuvyz.exe	DllHost.exe
PID 832 wrote to memory of 3560	832	ebybomuvyz.exe	DllHost.exe
PID 832 wrote to memory of 3560	832	ebybomuvyz.exe	DllHost.exe
PID 832 wrote to memory of 3560	832	ebybomuvyz.exe	DllHost.exe
PID 832 wrote to memory of 3664	832	ebybomuvyz.exe	StartMenuExperienceHost.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2732

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe
"C:\Users\Admin\AppData\Local\Temp\4a77080b5e74b287b9fa111b6f61419e94fd01592b764a42485fcafeae7a12da.exe"
2⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.bat" "
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.exe
cse.sfx.exe -pnoi9uy76thwe -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe
"C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0dbb2802.bat"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
6⤵
- Accesses Microsoft Outlook accounts
PID:4976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3560

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3372

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
Filesize
264KB

MD5
e41feeacb6ce35f13e4844011483fefa

SHA1
489321121671461adfa36efe47620819bba21a01

SHA256
47aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350

SHA512
f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
Filesize
264KB

MD5
e41feeacb6ce35f13e4844011483fefa

SHA1
489321121671461adfa36efe47620819bba21a01

SHA256
47aa1eb660775e4ae8aa2765365a67c42ee458e211e17fbaf4009f98b9447350

SHA512
f01aceb198bbec5d42f25d991736725af8f0f5276f419fb790fe7b177b6d38309722529d55f09d68295f0703c37df32ae2023a8b4168aaa0999d3850851e6cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.exe
Filesize
548KB

MD5
2f1eae297fdf4ea274aaea87674ad59f

SHA1
e5262ad423771b913ec91950c2425f306af8e4c8

SHA256
bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f

SHA512
18670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cse.sfx.exe
Filesize
548KB

MD5
2f1eae297fdf4ea274aaea87674ad59f

SHA1
e5262ad423771b913ec91950c2425f306af8e4c8

SHA256
bff6beb15bdf458a0dbaa49a664f7c8fe5357ab6d8d945c4422375a78b0f706f

SHA512
18670499ba6837f60682657092a8edcd195ceda1753cb32aa506cbf43b05e1d53991982780215fca4cce1ad76844a86b62c4493829ea42b9b760185a8f8c2508

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\swe23ahgfr54d.bat
Filesize
35B

MD5
41311c4d45324cc6020f12da32203575

SHA1
6a7f49c8b2287b7693d986b49b383864f24f1496

SHA256
4787a1f4536ec8038f6f870855ceca45ef730c0929fd84ec5b93dad9494ab27c

SHA512
47bf7e15e8b4e1e90ccfddc742975de540e88db5a4002c35bbedb7d5a780e8dddce473be357af0e63b582807f6f84b92a2d72df41efa524388e079640328b65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe
Filesize
1.2MB

MD5
21b41538c594d917da5331d9272c2b84

SHA1
92ebd4081ecc6eed903780db360b27f22d60402f

SHA256
96a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833

SHA512
63a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cse.exe
Filesize
1.2MB

MD5
21b41538c594d917da5331d9272c2b84

SHA1
92ebd4081ecc6eed903780db360b27f22d60402f

SHA256
96a9a3b906d49b21e4c00b9d78075ef6e9319460f8102bc055c68c0af9a58833

SHA512
63a75dcfcec12638a7ebeaa06d41bda80f6debb5053ccf88c710d040361271c12ba2cfcdc5f104ac2fc6e6fea36a39842156af294a5520fbe0e7fddf2b820cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp0dbb2802.bat
Filesize
195B

MD5
53c9045f650cd1d7acd1e2060215aeff

SHA1
ba0a2d1e9411b443d17109f81291b450a82b40f5

SHA256
acc020f4f8b589f76e0f3a2c956861936740b4a0ea56357394b8caa43484b7a8

SHA512
0c73b807117cf16c217322aabdf04cbcdb7a0d92b94bd09e6bb95d9bdfdf2b0be46a70c61c87385fa51b0ea6e133b0524362ff3c189c88e85edee593f0f43d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F7A.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2566.tmp
Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D0D.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83A3.tmp
Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Roaming\Ebqoubdiodov\alneegahenk.uvr
Filesize
3KB

MD5
955d3a69d37fc73f98065db613464401

SHA1
73f7a1618bdef77f8486cc49603fe7556c320311

SHA256
af33e8abc5fa1fc409175f62767d1351ce8e0b0ac0f58dd9823584a265d5659a

SHA512
e0d2386c5560910a458e73be5b449eccc3c88a7c9eae03371e0707c6519d3978445a961e841389731607ec59d4ca77f2793173185be02269645b0ccb00dccef2

Download Submit
C:\Users\Admin\AppData\Roaming\Ebqoubdiodov\alneegahenk.uvr
Filesize
3KB

MD5
e88cc153c0803970086bebabf2bb2916

SHA1
47990988fe762f5ef1478a81312eef05f6c742f0

SHA256
b7cee732715c5251770de6d30c118a40e1288938c732d38303fbfcdb1a641c14

SHA512
76fb71221ff3812218867360b018370ac100c925f9ac781997221d010ab6389dea631077b86c1b0ea2e53cd5c78c85051bb5bd74c39224eec518d4e3e4f3e2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe
Filesize
264KB

MD5
e6f242289719cf724976b1ddf2b4a240

SHA1
400a665ef6f45747a1bba10391c6f4253ee719d0

SHA256
7a18be67250702560cfc98125827f3fb114d18eace0cb1d5a6378bcf0e2cfafb

SHA512
62f6005d119649e038ebee8fe673e7e50557c6cffbdd4a83acfbf59c464131af5e424e72012d1da73cd170c61e10038c8a8b0e2bb1b5ca97488be5bd2c1a756f

Download Submit
C:\Users\Admin\AppData\Roaming\Niykekuliwq\ebybomuvyz.exe
Filesize
264KB

MD5
e6f242289719cf724976b1ddf2b4a240

SHA1
400a665ef6f45747a1bba10391c6f4253ee719d0

SHA256
7a18be67250702560cfc98125827f3fb114d18eace0cb1d5a6378bcf0e2cfafb

SHA512
62f6005d119649e038ebee8fe673e7e50557c6cffbdd4a83acfbf59c464131af5e424e72012d1da73cd170c61e10038c8a8b0e2bb1b5ca97488be5bd2c1a756f

Download Submit
memory/832-157-0x0000000000000000-mapping.dmp

Download
memory/992-130-0x0000000000000000-mapping.dmp

Download
memory/992-175-0x0000000000DD0000-0x0000000000E17000-memory.dmp

Filesize
284KB

Download
memory/1436-165-0x0000000000430000-0x0000000000477000-memory.dmp

Filesize
284KB

Download
memory/1436-178-0x0000000000430000-0x0000000000477000-memory.dmp

Filesize
284KB

Download
memory/1964-170-0x0000000000730000-0x0000000000777000-memory.dmp

Filesize
284KB

Download
memory/1964-168-0x0000000000000000-mapping.dmp

Download
memory/1964-174-0x0000000000730000-0x0000000000777000-memory.dmp

Filesize
284KB

Download
memory/2480-140-0x0000000000000000-mapping.dmp

Download
memory/2480-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2480-171-0x00000000022A0000-0x00000000022E7000-memory.dmp

Filesize
284KB

Download
memory/2480-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4168-139-0x00000000733F0000-0x00000000739A1000-memory.dmp

Filesize
5.7MB

Download
memory/4168-177-0x0000000005530000-0x0000000005577000-memory.dmp

Filesize
284KB

Download
memory/4168-135-0x0000000000000000-mapping.dmp

Download
memory/4168-138-0x00000000733F0000-0x00000000739A1000-memory.dmp

Filesize
5.7MB

Download
memory/4340-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4340-152-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4340-167-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4340-151-0x0000000000000000-mapping.dmp

Download
memory/4340-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4340-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4584-132-0x0000000000000000-mapping.dmp

Download
memory/4584-176-0x00000000005A0000-0x00000000005E7000-memory.dmp

Filesize
284KB

Download
memory/4976-145-0x0000000000000000-mapping.dmp

Download
memory/4976-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download