Analysis

  • max time kernel
    100s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 06:34

General

  • Target

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe

  • Size

    5.6MB

  • MD5

    80a0a3da2f9717c0532cc760b1e7f746

  • SHA1

    999e1bd2c3947f898d21572c2c360de72232ef09

  • SHA256

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

  • SHA512

    4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nAMkXP8FUGvSc3wjPCKF

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
    "C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:340
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

    Filesize

    102B

    MD5

    d158de25d5b1a2d6699f1b6f572b7561

    SHA1

    f88bb5ae47e97c1a475831b368a93787241e362c

    SHA256

    19af143d58d5d194461e8fe97ac35779917cb4b4389aa609f98ba3f86619d32e

    SHA512

    3d2ba0546123957ec515b8ab95b13c7dbb6944d376515e1f8e476b64e65e2d3b5c4a6fc4f926a87683d4d17c53dbfdc4b8533f4908145a4f42ec44ad17500640

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

    Filesize

    5.6MB

    MD5

    80a0a3da2f9717c0532cc760b1e7f746

    SHA1

    999e1bd2c3947f898d21572c2c360de72232ef09

    SHA256

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

    SHA512

    4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe

    Filesize

    5.6MB

    MD5

    80a0a3da2f9717c0532cc760b1e7f746

    SHA1

    999e1bd2c3947f898d21572c2c360de72232ef09

    SHA256

    58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52

    SHA512

    4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5

  • memory/340-153-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/340-152-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/340-150-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2672-144-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

  • memory/2672-145-0x0000000000400000-0x0000000000D6C000-memory.dmp

    Filesize

    9.4MB

  • memory/2672-146-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

  • memory/2672-143-0x0000000000400000-0x0000000000D6C000-memory.dmp

    Filesize

    9.4MB

  • memory/2672-148-0x0000000002FEC000-0x0000000002FEF000-memory.dmp

    Filesize

    12KB

  • memory/2672-140-0x0000000000400000-0x0000000000D6C000-memory.dmp

    Filesize

    9.4MB

  • memory/2672-154-0x0000000002FEC000-0x0000000002FEF000-memory.dmp

    Filesize

    12KB

  • memory/3012-156-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3012-161-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3012-159-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3012-158-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4300-134-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

  • memory/4300-130-0x0000000000400000-0x0000000000D6C000-memory.dmp

    Filesize

    9.4MB

  • memory/4300-135-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB

  • memory/4300-133-0x0000000000400000-0x0000000000D6C000-memory.dmp

    Filesize

    9.4MB

  • memory/4300-139-0x0000000074940000-0x0000000074EF1000-memory.dmp

    Filesize

    5.7MB