Analysis

  • max time kernel
    100s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 02:43

General

  • Target

    59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe

  • Size

    946KB

  • MD5

    fc4ff9d8c0e05abacfb2d51035a1b6e1

  • SHA1

    7b11509844d29755649282f439e88fa554a05cfd

  • SHA256

    59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253

  • SHA512

    770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mistaspaz@89

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
    "C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe
      C:\Users\Admin\AppData\Local\Temp\59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4268
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:1168
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

    Filesize

    102B

    MD5

    87668ad827f145022854c5ed18b135a0

    SHA1

    6f5bb495015544531c966ea0383e9d990d4ad5f0

    SHA256

    3b6b4b602a81e0b9ad545e4bf19c6a5fb850200a9f2d7a3541f9b4482279168d

    SHA512

    e805ae599a9e790b63c2f0a5c768d69d747a4e86e0e9a1f95c7aaae0abe07e0b40d63345d0797393f514bdd9154ccd73d181cbffbd3b23bb756366015d3fb248

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

    Filesize

    946KB

    MD5

    fc4ff9d8c0e05abacfb2d51035a1b6e1

    SHA1

    7b11509844d29755649282f439e88fa554a05cfd

    SHA256

    59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253

    SHA512

    770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

    Filesize

    946KB

    MD5

    fc4ff9d8c0e05abacfb2d51035a1b6e1

    SHA1

    7b11509844d29755649282f439e88fa554a05cfd

    SHA256

    59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253

    SHA512

    770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

    Filesize

    946KB

    MD5

    fc4ff9d8c0e05abacfb2d51035a1b6e1

    SHA1

    7b11509844d29755649282f439e88fa554a05cfd

    SHA256

    59d32fa1e0458f5442113a78818f9c2cd5bcc87baf879fe7422bf89401249253

    SHA512

    770600e47555d6f55a923770e1ff4dacff5e870467a3752b5a0509d94c1d76d4ea1e951805ad3068bb1a92daa315df348aaff20139c30092ad34cf8ae5c57e84

  • memory/1168-171-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1168-170-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1168-168-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1644-134-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/1644-132-0x00000000023F0000-0x00000000023F8000-memory.dmp

    Filesize

    32KB

  • memory/2544-152-0x0000000075080000-0x0000000075631000-memory.dmp

    Filesize

    5.7MB

  • memory/2544-143-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/2544-151-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/2544-137-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2544-141-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/2544-145-0x0000000075080000-0x0000000075631000-memory.dmp

    Filesize

    5.7MB

  • memory/2544-140-0x0000000006AC0000-0x0000000006B50000-memory.dmp

    Filesize

    576KB

  • memory/3012-155-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/3364-178-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3364-180-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3364-177-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3364-175-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4268-161-0x0000000006AD0000-0x0000000006B60000-memory.dmp

    Filesize

    576KB

  • memory/4268-173-0x0000000075080000-0x0000000075631000-memory.dmp

    Filesize

    5.7MB

  • memory/4268-172-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB

  • memory/4268-165-0x0000000075080000-0x0000000075631000-memory.dmp

    Filesize

    5.7MB

  • memory/4268-164-0x0000000077A10000-0x0000000077BB3000-memory.dmp

    Filesize

    1.6MB