Overview

overview

10

Static

static

aa9a39a40e...19.exe

windows7-x64

10

aa9a39a40e...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe

  • Size

    813KB

  • MD5

    6cd920530b09541a42f1b1b40948a460

  • SHA1

    2a26a1a400d2472c743bfe7ed1b7afb902fed486

  • SHA256

    aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419

  • SHA512

    6746bf0d8461509253e8296fe626ac3701a98fd813cd61c2b5fe5fcbbac4871025682ce8109dbf06275624dcb9eba34ef76dd15c8fd39a3bc64c60261e48ad40

  • SSDEEP

    12288:QvRwqFq+PzD6Shp6/MVqZyiqsg0iR/Cs1q0vcSouox6UauGxO9v:6uqzD83Zyi1g06/5q+cNuoxX76O

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 11 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 11 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
    "C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vk6jgy2z.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES123B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC122A.tmp"
        3⤵
          PID:1812
      • C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
        "C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:1960
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          3⤵
            PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UTICNtwg.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\UTICNtwg.exe
            3⤵
            • Adds Run key to start application
            PID:380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES123B.tmp
        Filesize

        1KB

        MD5

        7aa7c20c0df980c92b958b3d6bed05e7

        SHA1

        313a7af59c96f137a65b3e379e83f5725ed7cc0d

        SHA256

        78ddfda85d5e757e4a68331dc9c98c1c90681e977c6d0ec58058d9abb70b0240

        SHA512

        87fe16feca52d88827b0845952dca1e1f86da3b18ed64389ec2562c26088d1156ea40b340dbeb7b487c73235ce3a7caec473016eba1d15469c7180765fb798dd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\vk6jgy2z.dll
        Filesize

        1.1MB

        MD5

        7844351b6693ac7233bd2882c365729b

        SHA1

        b1a2ab43cccb182f74e8101292b4ab97a4966706

        SHA256

        bc08825feba67661e3d8f08dfb43972932e919add18378263c86a9d9ed81d620

        SHA512

        1f52b2d40a329b0320ddc6034e803972ffeb00ed276dadd0896778400bb2af575b0fd88b1eac0471bae006f082abea866829ba7cd9aa0031d6a1f583e0140738

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC122A.tmp
        Filesize

        652B

        MD5

        ab565cca760359ac8e1b9df7de2002c6

        SHA1

        dc846457267b23fa0e2c64fa83858544b3dc7806

        SHA256

        225769cc0b7a5576abf8fcf3d4c6d754f656222ab16cfce35311f79e5a488846

        SHA512

        c7df8744ba228a7078fab2758b693f6e5a06afb4381a387611227d93a9ec445a7104bb9f373be13fa0460c4a717cc1fa57069c088dff9dc97092f8aa7dcf15c1

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\tmp1028.tmp.txt
        Filesize

        549KB

        MD5

        92b0844476fd369c495d090e03904503

        SHA1

        7526f336151b9ff70bda24f7445ac412ae0b5738

        SHA256

        10bd8ca479b47c9b6a543790d5b9a0fba130efa0e42d4b538a756cc3aa42ca1f

        SHA512

        dec7fd42d3193329dae373fe67e75daacf50c9eeec31023312f819e7ee557e0e288573de2a16894aea42da1e03dc3753039ea75e3ac938e21a227e852718639e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\vk6jgy2z.cmdline
        Filesize

        196B

        MD5

        937d41bcdc700fb5675087cd2e0fc19d

        SHA1

        a6e528f44a89d42b4c2348b2ee14c2023d1cf42c

        SHA256

        0e43dffb952a36dfbafa9bd63fe51a92302a032c5bc120698080493b37f0543e

        SHA512

        769ddbace82e514afb8fba13ef5e07bce604ad2b007c404e154f14de5fdfa6ef63a807b4724b75af8d4d806e5d57984e8b774792eda99d860222160ee4004427

        Download Submit
      • memory/380-79-0x0000000000000000-mapping.dmp
        Download
      • memory/560-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1168-73-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-88-0x0000000073F00000-0x00000000744AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1168-65-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-67-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-80-0x0000000073F00000-0x00000000744AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1168-71-0x000000000047EADE-mapping.dmp
        Download
      • memory/1168-63-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-75-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-69-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1168-62-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1328-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1372-97-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1372-95-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1372-94-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1372-90-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1372-91-0x0000000000442628-mapping.dmp
        Download
      • memory/1768-77-0x0000000073F00000-0x00000000744AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1768-86-0x0000000073F00000-0x00000000744AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1812-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1960-87-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1960-89-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1960-85-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1960-82-0x0000000000411654-mapping.dmp
        Download
      • memory/1960-81-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download