Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 06:34

General

  • Target

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe

  • Size

    5.6MB

  • MD5

    80a0a3da2f9717c0532cc760b1e7f746

  • SHA1

    999e1bd2c3947f898d21572c2c360de72232ef09

  • SHA256

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

  • SHA512

    4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nAMkXP8FUGvSc3wjPCKF

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
    "C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:960
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:1344

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

      Filesize

      102B

      MD5

      d158de25d5b1a2d6699f1b6f572b7561

      SHA1

      f88bb5ae47e97c1a475831b368a93787241e362c

      SHA256

      19af143d58d5d194461e8fe97ac35779917cb4b4389aa609f98ba3f86619d32e

      SHA512

      3d2ba0546123957ec515b8ab95b13c7dbb6944d376515e1f8e476b64e65e2d3b5c4a6fc4f926a87683d4d17c53dbfdc4b8533f4908145a4f42ec44ad17500640

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\Windows Update.exe

      Filesize

      5.6MB

      MD5

      80a0a3da2f9717c0532cc760b1e7f746

      SHA1

      999e1bd2c3947f898d21572c2c360de72232ef09

      SHA256

      58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

      SHA512

      4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

    • C:\Users\Admin\AppData\Roaming\Windows Update.exe

      Filesize

      5.6MB

      MD5

      80a0a3da2f9717c0532cc760b1e7f746

      SHA1

      999e1bd2c3947f898d21572c2c360de72232ef09

      SHA256

      58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

      SHA512

      4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

    • \Users\Admin\AppData\Roaming\Windows Update.exe

      Filesize

      5.6MB

      MD5

      80a0a3da2f9717c0532cc760b1e7f746

      SHA1

      999e1bd2c3947f898d21572c2c360de72232ef09

      SHA256

      58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

      SHA512

      4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

    • memory/960-82-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/960-75-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/960-81-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/960-79-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1344-89-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

    • memory/1344-87-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

    • memory/1344-83-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

    • memory/1524-54-0x0000000000400000-0x0000000000D6C000-memory.dmp

      Filesize

      9.4MB

    • memory/1524-66-0x0000000074B20000-0x00000000750CB000-memory.dmp

      Filesize

      5.7MB

    • memory/1524-60-0x0000000074B20000-0x00000000750CB000-memory.dmp

      Filesize

      5.7MB

    • memory/1524-57-0x0000000000400000-0x0000000000D6C000-memory.dmp

      Filesize

      9.4MB

    • memory/1524-58-0x0000000075591000-0x0000000075593000-memory.dmp

      Filesize

      8KB

    • memory/1524-64-0x0000000000400000-0x0000000000D6C000-memory.dmp

      Filesize

      9.4MB

    • memory/1524-59-0x0000000074B20000-0x00000000750CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2008-71-0x0000000074B10000-0x00000000750BB000-memory.dmp

      Filesize

      5.7MB

    • memory/2008-67-0x0000000000400000-0x0000000000D6C000-memory.dmp

      Filesize

      9.4MB

    • memory/2008-80-0x0000000002C9E000-0x0000000002CAF000-memory.dmp

      Filesize

      68KB

    • memory/2008-72-0x0000000000400000-0x0000000000D6C000-memory.dmp

      Filesize

      9.4MB

    • memory/2008-73-0x0000000074B10000-0x00000000750BB000-memory.dmp

      Filesize

      5.7MB

    • memory/2008-90-0x0000000002C9E000-0x0000000002CAF000-memory.dmp

      Filesize

      68KB