hawkeye | a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Size

1.3MB
MD5

24fed3f31bf8912606adb5862ceb3ac8
SHA1

f2ba97e8cba9f8f24142ac2f1daee67783fb80ee
SHA256

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94
SHA512

48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0
SSDEEP

24576:9BxmWHAs0A6yDW3Yzv7NeGd6znhc2eEUWXXL9VAIEqJTsj7/pTA:9LhHAbz07jMC2eDWnXAIEx/1

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

natsv.exednsmon.exenatsv.exe

pid process

4784 natsv.exe
2240 dnsmon.exe
3592 natsv.exe

pid	process
4784	natsv.exe
2240	dnsmon.exe
3592	natsv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exenatsv.exednsmon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	natsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dnsmon.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 whatismyipaddress.com
30 whatismyipaddress.com
36 whatismyipaddress.com

flow	ioc
28	whatismyipaddress.com
30	whatismyipaddress.com
36	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exednsmon.exeRegAsm.exeRegAsm.exe

description	pid	process	target process
PID 3496 set thread context of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 2240 set thread context of 3460	2240	dnsmon.exe	RegAsm.exe
PID 1444 set thread context of 1520	1444	RegAsm.exe	vbc.exe
PID 3460 set thread context of 3988	3460	RegAsm.exe	vbc.exe
PID 1444 set thread context of 312	1444	RegAsm.exe	vbc.exe
PID 3460 set thread context of 4680	3460	RegAsm.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exenatsv.exednsmon.exenatsv.exe

pid	process
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
4784	natsv.exe
4784	natsv.exe
3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
2240	dnsmon.exe
3592	natsv.exe
3592	natsv.exe
3592	natsv.exe
3592	natsv.exe
2240	dnsmon.exe
2240	dnsmon.exe
3592	natsv.exe
3592	natsv.exe
2240	dnsmon.exe
2240	dnsmon.exe
2240	dnsmon.exe
2240	dnsmon.exe
3592	natsv.exe
3592	natsv.exe
2240	dnsmon.exe
2240	dnsmon.exe
3592	natsv.exe
3592	natsv.exe
2240	dnsmon.exe
2240	dnsmon.exe
3592	natsv.exe
3592	natsv.exe
2240	dnsmon.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3460 RegAsm.exe

pid	process
3460	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exenatsv.exeRegAsm.exednsmon.exevbc.exenatsv.exeRegAsm.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Token: SeDebugPrivilege	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Token: SeDebugPrivilege	4784	natsv.exe
Token: SeDebugPrivilege	1444	RegAsm.exe
Token: SeDebugPrivilege	2240	dnsmon.exe
Token: SeDebugPrivilege	2240	dnsmon.exe
Token: SeDebugPrivilege	1520	vbc.exe
Token: SeDebugPrivilege	3592	natsv.exe
Token: SeDebugPrivilege	3460	RegAsm.exe
Token: SeDebugPrivilege	3988	vbc.exe
Token: SeDebugPrivilege	312	vbc.exe
Token: SeDebugPrivilege	4680	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1444 RegAsm.exe
3460 RegAsm.exe

pid	process
1444	RegAsm.exe
3460	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.execmd.exenatsv.execmd.exednsmon.exeRegAsm.execmd.exeRegAsm.exe

description	pid	process	target process
PID 3496 wrote to memory of 2260	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3496 wrote to memory of 2260	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3496 wrote to memory of 2260	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 1444	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 3496 wrote to memory of 3492	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3496 wrote to memory of 3492	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3496 wrote to memory of 3492	3496	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 3492 wrote to memory of 4784	3492	cmd.exe	natsv.exe
PID 3492 wrote to memory of 4784	3492	cmd.exe	natsv.exe
PID 3492 wrote to memory of 4784	3492	cmd.exe	natsv.exe
PID 4784 wrote to memory of 4348	4784	natsv.exe	cmd.exe
PID 4784 wrote to memory of 4348	4784	natsv.exe	cmd.exe
PID 4784 wrote to memory of 4348	4784	natsv.exe	cmd.exe
PID 4348 wrote to memory of 4572	4348	cmd.exe	reg.exe
PID 4348 wrote to memory of 4572	4348	cmd.exe	reg.exe
PID 4348 wrote to memory of 4572	4348	cmd.exe	reg.exe
PID 4784 wrote to memory of 2240	4784	natsv.exe	dnsmon.exe
PID 4784 wrote to memory of 2240	4784	natsv.exe	dnsmon.exe
PID 4784 wrote to memory of 2240	4784	natsv.exe	dnsmon.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 2240 wrote to memory of 3460	2240	dnsmon.exe	RegAsm.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 1520	1444	RegAsm.exe	vbc.exe
PID 2240 wrote to memory of 3024	2240	dnsmon.exe	cmd.exe
PID 2240 wrote to memory of 3024	2240	dnsmon.exe	cmd.exe
PID 2240 wrote to memory of 3024	2240	dnsmon.exe	cmd.exe
PID 3024 wrote to memory of 3592	3024	cmd.exe	natsv.exe
PID 3024 wrote to memory of 3592	3024	cmd.exe	natsv.exe
PID 3024 wrote to memory of 3592	3024	cmd.exe	natsv.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 3460 wrote to memory of 3988	3460	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 312	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 312	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 312	1444	RegAsm.exe	vbc.exe
PID 1444 wrote to memory of 312	1444	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
"C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
2⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
5⤵
PID:4572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
6⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.3MB

MD5
24fed3f31bf8912606adb5862ceb3ac8

SHA1
f2ba97e8cba9f8f24142ac2f1daee67783fb80ee

SHA256
a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

SHA512
48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.3MB

MD5
24fed3f31bf8912606adb5862ceb3ac8

SHA1
f2ba97e8cba9f8f24142ac2f1daee67783fb80ee

SHA256
a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

SHA512
48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
afe434653a898da20044041262b3ac74

SHA1
ee176776f84a8e7eb91c3560943535558748ab9e

SHA256
2315bd64e75a346541681575e5b227059bc726907f5a5b893505b648a3062e77

SHA512
fe563a8a3e842094a20ab2263438dedd05cf2b347a0e541a4198a855514788fe8a3c1ddfdaf6af76a554da878694296b74e7cbe75eaf4a94111cde51299c9faf

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
56B

MD5
efd1636cfc3cc38fd7babae5cac9ede0

SHA1
4d7d378abeb682eefbd039930c0ea996fbf54178

SHA256
f827d5b11c1eb3902d601c3e0b59ba32fe11c0b573fbf22fb2af86bfd4651bba

SHA512
69b2b0ab1a6e13395ef52dcb903b8e17d842e6d0d44f801ff2659cfd5ec343c8cc57928b02961fc7099ad43ff05633baf5ac39042a00c8676d4fa8f6f8c2a5d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
f4a93cfaaf7c2e60082dd17201dd29d7

SHA1
c8f86501accc37ec7cf373b8e741c70d97c34aa7

SHA256
426756140d0fd1eb698536f7ac98427cf0a56c095e829cbda48f978cbbb7f003

SHA512
2dfc220affe43ad7d070ad94d1c184f209155febbf6b5057dfa3e4d07fe4623d0ca40d4aa12d3eb5ad9910b1e725cdc1237f0095fde44f595da1d94b6733d440

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
f4a93cfaaf7c2e60082dd17201dd29d7

SHA1
c8f86501accc37ec7cf373b8e741c70d97c34aa7

SHA256
426756140d0fd1eb698536f7ac98427cf0a56c095e829cbda48f978cbbb7f003

SHA512
2dfc220affe43ad7d070ad94d1c184f209155febbf6b5057dfa3e4d07fe4623d0ca40d4aa12d3eb5ad9910b1e725cdc1237f0095fde44f595da1d94b6733d440

Download Submit
memory/312-179-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/312-184-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/312-178-0x0000000000000000-mapping.dmp

Download
memory/312-180-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/312-181-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/312-182-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1444-134-0x0000000000000000-mapping.dmp

Download
memory/1444-176-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1444-135-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1444-141-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1520-156-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1520-157-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1520-160-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1520-153-0x0000000000000000-mapping.dmp

Download
memory/1520-163-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2240-177-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2240-148-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/2240-146-0x0000000000000000-mapping.dmp

Download
memory/2260-133-0x0000000000000000-mapping.dmp

Download
memory/3024-161-0x0000000000000000-mapping.dmp

Download
memory/3460-164-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3460-185-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3460-151-0x0000000000000000-mapping.dmp

Download
memory/3492-136-0x0000000000000000-mapping.dmp

Download
memory/3496-150-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3496-132-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3496-140-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3592-169-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3592-165-0x0000000000000000-mapping.dmp

Download
memory/3592-186-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3988-175-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3988-172-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3988-170-0x0000000000000000-mapping.dmp

Download
memory/3988-173-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4348-143-0x0000000000000000-mapping.dmp

Download
memory/4572-144-0x0000000000000000-mapping.dmp

Download
memory/4680-189-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4680-187-0x0000000000000000-mapping.dmp

Download
memory/4680-190-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4680-192-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4784-142-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4784-137-0x0000000000000000-mapping.dmp

Download
memory/4784-149-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download