hawkeye | 12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b

Analysis

max time kernel
137s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
Size

1.0MB
MD5

03a6f05f998a2c1da3bbe3dba6f44917
SHA1

b9a38f68387f77ed9b752f056bda282580a52ca8
SHA256

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b
SHA512

d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9
SSDEEP

24576:jBxiZeC6Lj/mHlOdBBR6x/a2fQY5kfqFGlwpV:jLiZeC4TOOdBn0LfTqfqFJL

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

natsv.exednsmon.exenatsv.exe

pid process

4952 natsv.exe
4248 dnsmon.exe
4764 natsv.exe

pid	process
4952	natsv.exe
4248	dnsmon.exe
4764	natsv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exednsmon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	natsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dnsmon.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 whatismyipaddress.com
26 whatismyipaddress.com
28 whatismyipaddress.com

flow	ioc
24	whatismyipaddress.com
26	whatismyipaddress.com
28	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exednsmon.exeRegAsm.exeRegAsm.exe

description	pid	process	target process
PID 4304 set thread context of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4248 set thread context of 2448	4248	dnsmon.exe	RegAsm.exe
PID 2000 set thread context of 3412	2000	RegAsm.exe	vbc.exe
PID 2448 set thread context of 1596	2448	RegAsm.exe	vbc.exe
PID 2000 set thread context of 4912	2000	RegAsm.exe	vbc.exe
PID 2448 set thread context of 4352	2448	RegAsm.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exe

pid	process
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4952	natsv.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

2448 RegAsm.exe

pid	process
2448	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exenatsv.exeRegAsm.exednsmon.exenatsv.exeRegAsm.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
Token: SeDebugPrivilege	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
Token: SeDebugPrivilege	4952	natsv.exe
Token: SeDebugPrivilege	2000	RegAsm.exe
Token: SeDebugPrivilege	4248	dnsmon.exe
Token: SeDebugPrivilege	4248	dnsmon.exe
Token: SeDebugPrivilege	4764	natsv.exe
Token: SeDebugPrivilege	2448	RegAsm.exe
Token: SeDebugPrivilege	3412	vbc.exe
Token: SeDebugPrivilege	1596	vbc.exe
Token: SeDebugPrivilege	4912	vbc.exe
Token: SeDebugPrivilege	4352	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

2000 RegAsm.exe
2448 RegAsm.exe

pid	process
2000	RegAsm.exe
2448	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.execmd.exenatsv.execmd.exednsmon.execmd.exeRegAsm.exeRegAsm.exe

description	pid	process	target process
PID 4304 wrote to memory of 3900	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 4304 wrote to memory of 3900	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 4304 wrote to memory of 3900	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 2000	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	RegAsm.exe
PID 4304 wrote to memory of 3444	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 4304 wrote to memory of 3444	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 4304 wrote to memory of 3444	4304	12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe	cmd.exe
PID 3444 wrote to memory of 4952	3444	cmd.exe	natsv.exe
PID 3444 wrote to memory of 4952	3444	cmd.exe	natsv.exe
PID 3444 wrote to memory of 4952	3444	cmd.exe	natsv.exe
PID 4952 wrote to memory of 2452	4952	natsv.exe	cmd.exe
PID 4952 wrote to memory of 2452	4952	natsv.exe	cmd.exe
PID 4952 wrote to memory of 2452	4952	natsv.exe	cmd.exe
PID 2452 wrote to memory of 2868	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 2868	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 2868	2452	cmd.exe	reg.exe
PID 4952 wrote to memory of 4248	4952	natsv.exe	dnsmon.exe
PID 4952 wrote to memory of 4248	4952	natsv.exe	dnsmon.exe
PID 4952 wrote to memory of 4248	4952	natsv.exe	dnsmon.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2448	4248	dnsmon.exe	RegAsm.exe
PID 4248 wrote to memory of 2944	4248	dnsmon.exe	cmd.exe
PID 4248 wrote to memory of 2944	4248	dnsmon.exe	cmd.exe
PID 4248 wrote to memory of 2944	4248	dnsmon.exe	cmd.exe
PID 2944 wrote to memory of 4764	2944	cmd.exe	natsv.exe
PID 2944 wrote to memory of 4764	2944	cmd.exe	natsv.exe
PID 2944 wrote to memory of 4764	2944	cmd.exe	natsv.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 3412	2000	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2448 wrote to memory of 1596	2448	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 4912	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 4912	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 4912	2000	RegAsm.exe	vbc.exe
PID 2000 wrote to memory of 4912	2000	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe
"C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
2⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
5⤵
PID:2868

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
6⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\natsv.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
321B

MD5
e62221a3bb549a72fcc4afa60d34e620

SHA1
d60b16b540e0e3ed459a30cce0678d1fc8a1989a

SHA256
587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95

SHA512
5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
321B

MD5
c3609e29395ccd5fd8407fed36414e75

SHA1
04c0c5dc3fcced0c5581c44af17fa60260fb591a

SHA256
a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857

SHA512
8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
321B

MD5
e62221a3bb549a72fcc4afa60d34e620

SHA1
d60b16b540e0e3ed459a30cce0678d1fc8a1989a

SHA256
587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95

SHA512
5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.0MB

MD5
03a6f05f998a2c1da3bbe3dba6f44917

SHA1
b9a38f68387f77ed9b752f056bda282580a52ca8

SHA256
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b

SHA512
d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.0MB

MD5
03a6f05f998a2c1da3bbe3dba6f44917

SHA1
b9a38f68387f77ed9b752f056bda282580a52ca8

SHA256
12608321b3a1385f9c0650e1208090b9318c65a52bc4a60f4b3419b622f40b2b

SHA512
d45f3792eba2e04b5f1c9686ee7711f6a2edc976e4f770f34cdff86bb537aeb247d1fe0b705c5cea8860cf32245794b95f2a156597136a168e5c1a953ef929f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
08f90c1a417155361a5c4b8d297e0d78

SHA1
a4ac914c09d7c097fe1f4f96b897e625b6922069

SHA256
81a83544cf93c245178cbc1620030f1123f435af867c79d87135983c52ab39d9

SHA512
57acf66b146e4f606413e8707ffae882a5ea0228de3455c8efffd439f6ef1a2a04eec109d2879bf64c1d7e05cdd808a14db5c5b0f6a4ccf758d0c998058b53cd

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
56B

MD5
efd1636cfc3cc38fd7babae5cac9ede0

SHA1
4d7d378abeb682eefbd039930c0ea996fbf54178

SHA256
f827d5b11c1eb3902d601c3e0b59ba32fe11c0b573fbf22fb2af86bfd4651bba

SHA512
69b2b0ab1a6e13395ef52dcb903b8e17d842e6d0d44f801ff2659cfd5ec343c8cc57928b02961fc7099ad43ff05633baf5ac39042a00c8676d4fa8f6f8c2a5d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
cf738b913686436584e0e66865dbed4d

SHA1
28c636baff765afae70eb7496eea29c3e799de7a

SHA256
2020dc9a431a6ef7120fba50f8cdd0601ae325b06fbfd10baa510db76f1acd7e

SHA512
7824053ba982722586096170d3bdb932db46e9eee367f57acca7a6415e2de52ae26733dd7cf0cbcd1385301ea3c99102bc302839470f980ba385c141e2831ee3

Download Submit
memory/1596-171-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1596-167-0x0000000000000000-mapping.dmp

Download
memory/1596-173-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1596-176-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2000-141-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2000-145-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2000-136-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2000-135-0x0000000000000000-mapping.dmp

Download
memory/2448-161-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2448-152-0x0000000000000000-mapping.dmp

Download
memory/2448-178-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2452-143-0x0000000000000000-mapping.dmp

Download
memory/2868-144-0x0000000000000000-mapping.dmp

Download
memory/2944-154-0x0000000000000000-mapping.dmp

Download
memory/3412-165-0x0000000000000000-mapping.dmp

Download
memory/3412-174-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3412-170-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3412-169-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3412-166-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3444-137-0x0000000000000000-mapping.dmp

Download
memory/3900-134-0x0000000000000000-mapping.dmp

Download
memory/4248-177-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4248-148-0x0000000000000000-mapping.dmp

Download
memory/4248-150-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4304-133-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4304-164-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4304-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4352-182-0x0000000000000000-mapping.dmp

Download
memory/4352-188-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4352-187-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4352-186-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4764-155-0x0000000000000000-mapping.dmp

Download
memory/4764-162-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4764-179-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4912-189-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4912-181-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4912-184-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4912-185-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4912-180-0x0000000000000000-mapping.dmp

Download
memory/4912-191-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4952-147-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4952-138-0x0000000000000000-mapping.dmp

Download
memory/4952-142-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4952-151-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download