Overview

overview

10

Static

static

aa9a39a40e...19.exe

windows7-x64

10

aa9a39a40e...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe

  • Size

    813KB

  • MD5

    6cd920530b09541a42f1b1b40948a460

  • SHA1

    2a26a1a400d2472c743bfe7ed1b7afb902fed486

  • SHA256

    aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419

  • SHA512

    6746bf0d8461509253e8296fe626ac3701a98fd813cd61c2b5fe5fcbbac4871025682ce8109dbf06275624dcb9eba34ef76dd15c8fd39a3bc64c60261e48ad40

  • SSDEEP

    12288:QvRwqFq+PzD6Shp6/MVqZyiqsg0iR/Cs1q0vcSouox6UauGxO9v:6uqzD83Zyi1g06/5q+cNuoxX76O

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 8 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
    "C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irzqndfa.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB135.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB134.tmp"
        3⤵
          PID:1668
      • C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe
        "C:\Users\Admin\AppData\Local\Temp\aa9a39a40e8344b970428a20cd8860825364ccb0e88f410ebca127c1a0cbd419.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:988
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3380
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SOnRUafR.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SOnRUafR.exe
          3⤵
          • Adds Run key to start application
          PID:1364

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESB135.tmp
      Filesize

      1KB

      MD5

      6ec3c0b99d9097859c4ae18af9c9ada9

      SHA1

      40d7ff2296785e9afb66d41e852aa4b95435bcb4

      SHA256

      b994f46ae4f10fdb344310ebf8e9bb6b2eac7fba271a4c29f0dda68edd73f4f3

      SHA512

      c83211ce4bf8850db96592f3431ccaa828f0436393bc864c55fa90fd2301651564862ac44a950e1bf8a854989ed8bada78830f3e6b089764b2965787c30e5d8f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      3KB

      MD5

      f94dc819ca773f1e3cb27abbc9e7fa27

      SHA1

      9a7700efadc5ea09ab288544ef1e3cd876255086

      SHA256

      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

      SHA512

      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\irzqndfa.dll
      Filesize

      1.1MB

      MD5

      cc2a4494bfcf404c96250a29044940c2

      SHA1

      9a41df1a8630d21bac0d74a8d1084a23429c97bf

      SHA256

      e7f559206ece73a4b97797aaec36ae96439d4b6b99a7ec0439dc6fbc6fcc2e20

      SHA512

      1ae4cebb3e4222a15d36f2a34fc7a17cba20912fbed76b1275e08c54bb6df5f0a080d7b743fa0a247959f4ed6a620c4655729d9ea665dc72527c27141f3259d0

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\CSCB134.tmp
      Filesize

      652B

      MD5

      d4bd56385209a9354342c166d03cb37f

      SHA1

      d4e3a53f170dc2f22dbebbc6dad5682ce5eee038

      SHA256

      4c9685995ae51d6330125300c52023800d40f1b1f3af39cf872890310e9afffc

      SHA512

      4a4c41969711ebe22ace7342bd738c1aec8e5938d3d6ff1244cf3305e74ecfac1663a1c67d14c64a36128d816ba5feab4d2936aefc0ea28962bc770e4c9454b0

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\irzqndfa.cmdline
      Filesize

      196B

      MD5

      e56e29bdc404dfad69e2cf8e715a11f6

      SHA1

      298fcc20c02f404d115c45077daa08484a14a6c9

      SHA256

      d32efa080c32bc62d7ed2b564f27a0d2a80b63f5f777e5c5905eaad35d48ef76

      SHA512

      1f8fdb206cb425005fb96fa195bede0109b7d6f61e533e21d0a63f4f4f40587a53d1c8ee21a26a0b6938b1253951718769a5a358cba111c41c0d13b6ac8be7e4

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\tmpAF50.tmp.txt
      Filesize

      549KB

      MD5

      92b0844476fd369c495d090e03904503

      SHA1

      7526f336151b9ff70bda24f7445ac412ae0b5738

      SHA256

      10bd8ca479b47c9b6a543790d5b9a0fba130efa0e42d4b538a756cc3aa42ca1f

      SHA512

      dec7fd42d3193329dae373fe67e75daacf50c9eeec31023312f819e7ee557e0e288573de2a16894aea42da1e03dc3753039ea75e3ac938e21a227e852718639e

      Download Submit
    • memory/688-147-0x00000000753F0000-0x00000000759A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/688-154-0x00000000753F0000-0x00000000759A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/688-141-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/688-142-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/688-143-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/688-140-0x0000000000000000-mapping.dmp
      Download
    • memory/988-152-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/988-148-0x0000000000000000-mapping.dmp
      Download
    • memory/988-149-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/988-151-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1364-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2972-153-0x00000000753F0000-0x00000000759A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2972-132-0x00000000753F0000-0x00000000759A1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3380-155-0x0000000000000000-mapping.dmp
      Download
    • memory/3380-156-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/3380-158-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/3380-160-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/4212-133-0x0000000000000000-mapping.dmp
      Download
    • memory/5048-145-0x0000000000000000-mapping.dmp
      Download