Overview

overview

10

Static

static

b23e272dd9...63.exe

windows7-x64

10

b23e272dd9...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe

  • Size

    1.2MB

  • MD5

    84587f05c8beb74842a7e858ed68bc90

  • SHA1

    85cc7a7d51a38d1c1947b3145a27965e52734b33

  • SHA256

    b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063

  • SHA512

    3eb3be106953e73f4e4b9a33d6ac8731a13a13fa86fae3b591b6b3101b7054b6538e214c658711f7ed9db33bf453072a3e4d0013905304f76f867e927661c585

  • SSDEEP

    24576:IjLGhuZKuVeWDfBLquzQelc6HDlkw45dPEcTPfvqvIHDfUrckfvo5:IPCuZKuFDfBLzAk6w45dPECfWSUrcavo

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 9 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 21 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe
    "C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\278268030.xml"
      2⤵
      • Creates scheduled task(s)
      PID:4120
    • C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe
      "C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe"
      2⤵
        PID:1112
      • C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe
        "C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe"
        2⤵
          PID:4212
        • C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe
          "C:\Users\Admin\AppData\Local\Temp\b23e272dd987db89b5261455023def6413356ee4c2a6a6d8734ce4cdc89c0063.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4196
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            3⤵
            • Accesses Microsoft Outlook accounts
            PID:1268
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            3⤵
              PID:1996
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
              3⤵
                PID:4956
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
                3⤵
                  PID:3880

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\278268030.xml
              Filesize

              1KB

              MD5

              f264c43a487074504505d234ed195f00

              SHA1

              64b1d78b8aa727d1486ce797da97d1664744a923

              SHA256

              4f5f9e8b1685c1aaa125621ea6f4991dd34118437ce44b5f42efae42fe951d91

              SHA512

              aa72e7c53dc726e5443edbdbfa156086f129d2820a0a8baa627f53d401bfd1ff8c691eee66ba74532cd9bab06dab1465fffcad25670a9f646ce971895aefa8d1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
              Filesize

              725B

              MD5

              a117a30f80a2e971461128ef41e7ffca

              SHA1

              168b293718c863090ccc8c7a2682cc6a925619c0

              SHA256

              9b39ac8f7c18edc6a2cb66e75dafeb9d9d104c77b3c235d2ef30a8d02fef26c5

              SHA512

              15b28c7ef0905d1f613f4db6d4b8dbcae3b8566c28387e9c5710321ca491a666bfb38b64f38b0728b16cc89f3fc67436086c4e749ad1cf8be55d49e416726c14

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
              Filesize

              3KB

              MD5

              f94dc819ca773f1e3cb27abbc9e7fa27

              SHA1

              9a7700efadc5ea09ab288544ef1e3cd876255086

              SHA256

              a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

              SHA512

              72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

              Download Submit

            • memory/1268-146-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/1268-147-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/1268-144-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/1996-152-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/1996-154-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/1996-151-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/1996-149-0x0000000000400000-0x0000000000459000-memory.dmp

              Filesize

              356KB

              Download

            • memory/3880-162-0x0000000000400000-0x000000000044F000-memory.dmp

              Filesize

              316KB

              Download

            • memory/3880-166-0x0000000000400000-0x000000000044F000-memory.dmp

              Filesize

              316KB

              Download

            • memory/3880-164-0x0000000000400000-0x000000000044F000-memory.dmp

              Filesize

              316KB

              Download

            • memory/4196-138-0x0000000000400000-0x00000000004F0000-memory.dmp

              Filesize

              960KB

              Download

            • memory/4196-142-0x0000000074B90000-0x0000000075141000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4196-136-0x0000000000400000-0x00000000004F0000-memory.dmp

              Filesize

              960KB

              Download

            • memory/4196-137-0x0000000000400000-0x00000000004F0000-memory.dmp

              Filesize

              960KB

              Download

            • memory/4196-141-0x0000000074B90000-0x0000000075141000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4748-140-0x0000000074B90000-0x0000000075141000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4748-132-0x0000000074B90000-0x0000000075141000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4956-160-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4956-158-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4956-156-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download