Overview

overview

10

Static

static

E141889364...DF.exe

windows7-x64

10

E141889364...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E1418893649007.PDF.exe

  • Size

    1.1MB

  • MD5

    21491189acd58edf2ffcc5829abbb7a6

  • SHA1

    97439584bd72e0ea470085983cf18a02581b76b4

  • SHA256

    712e38d6f7ec0cb09be6fea727a3748b2de1c7c8286b33bb227f68dca34b6073

  • SHA512

    0f0cb57475a5ba07f00c8993febec95cb953b4d1b5f13229db9463e81e4cf584d15b8b1d58a3ffafb459baf0b67dda46efdb445b128ed0470784faef6b8cd716

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.trambaohanhelectroluxhn.com
  • Port:
    21
  • Username:
    LOGGSS2022@suachuaduongongnuoc.net
  • Password:
    Wn5b%iX[O%95

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E1418893649007.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\E1418893649007.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:312
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QqCeeJqNyu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAE1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QqCeeJqNyu.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Users\Admin\AppData\Local\Temp\E1418893649007.PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\E1418893649007.PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4596
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E1418893649007.PDF.exe.log
    Filesize

    1KB

    MD5

    e08f822522c617a40840c62e4b0fb45e

    SHA1

    ae516dca4da5234be6676d3f234c19ec55725be7

    SHA256

    bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

    SHA512

    894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpCAE1.tmp
    Filesize

    1KB

    MD5

    ac000be7f73c35de359ec2f5ac30573f

    SHA1

    ab61d2b38d127da978f74140a1c8d1b66251c071

    SHA256

    8234a1f5e6e01cb238a5ca7489d8f9cc3ff5968bdb96971210e293e37eef6b4e

    SHA512

    568f8af5fd32ec4d26501305531ff956382ee6cfc9095e3b6e403f3f5ca427ac5ebdd4c6823ddf59788001a289ef7a0e963631b36d20bddeff59d79a6b9130e6

    Download Submit
  • memory/312-133-0x0000000004F30000-0x0000000004F3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/312-134-0x000000000B120000-0x000000000B1BC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/312-135-0x000000000B1C0000-0x000000000B226000-memory.dmp
    Filesize

    408KB

    Download
  • memory/312-130-0x0000000000480000-0x0000000000598000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/312-132-0x0000000004FA0000-0x0000000005032000-memory.dmp
    Filesize

    584KB

    Download
  • memory/312-131-0x00000000054B0000-0x0000000005A54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/616-170-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/616-168-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/616-167-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/616-166-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/616-163-0x0000000000000000-mapping.dmp
    Download
  • memory/616-164-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/1480-149-0x0000000071400000-0x000000007144C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1480-156-0x00000000075E0000-0x00000000075FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1480-147-0x0000000005F90000-0x0000000005FAE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1480-145-0x00000000058E0000-0x0000000005946000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1480-150-0x0000000006550000-0x000000000656E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1480-148-0x0000000006F50000-0x0000000006F82000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1480-152-0x00000000072A0000-0x00000000072BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1480-151-0x00000000078E0000-0x0000000007F5A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1480-153-0x0000000007310000-0x000000000731A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1480-154-0x0000000007520000-0x00000000075B6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1480-155-0x00000000074D0000-0x00000000074DE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1480-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1480-157-0x00000000075C0000-0x00000000075C8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1480-138-0x00000000049C0000-0x00000000049F6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1480-140-0x0000000005180000-0x00000000057A8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1480-144-0x0000000004FE0000-0x0000000005002000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1496-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3696-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3696-142-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3696-146-0x00000000055F0000-0x0000000005646000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4596-162-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4596-161-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4596-159-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4596-158-0x0000000000000000-mapping.dmp
    Download