Overview

overview

10

Static

static

54f417cf3d...5c.exe

windows7-x64

10

54f417cf3d...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c.exe

  • Size

    1.6MB

  • MD5

    f3e4f98b303c4389054ff8f6e8f585b3

  • SHA1

    785df725e60c933b7ff9829f2e48b8d8cf2d8b0a

  • SHA256

    54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c

  • SHA512

    4c518374471532e22cbdd8877a7dcd128ade283ea14d7aef7bd85bfe1e18c6edd35062b07d7abebc8aeb05a6d9f194c070fde836de8adfe3938c8058651692bd

  • SSDEEP

    24576:eiuLnVEXOa2xLweBRD0R4wcWUx1wMTL2J01r1mweqDH6dMTawqYf1u5eYcl:e7S+rxLweBPkMT6tweqze5YN7t

Score
10/10
hawkeyecollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 14 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 14 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 19 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c.exe
    "C:\Users\Admin\AppData\Local\Temp\54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c.exe
      "C:\Users\Admin\AppData\Local\Temp\54f417cf3d7921bc9b0404551eac74614072823f65453bdcda96d07564b1a75c.exe"
      2⤵
        PID:1960
      • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
        "C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          "C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1592
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            4⤵
              PID:1692
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 1160
            3⤵
            • Loads dropped DLL
            PID:1580
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1200
          2⤵
            PID:788
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:1796

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung.jpg
          Filesize

          480KB

          MD5

          c963194e2d825888e70e82ac16f66eb5

          SHA1

          eb2f11fc3ccc1ae2d473921e0f6db8315cd4b2dc

          SHA256

          e8ec7dcc6c84ff18a289a939c594a1fb66bb32570699f888655362546355e63d

          SHA512

          ab05fcc9a807af7cd030f6c46f7a6c2ba9c1428c1717bbfd62a3d23f04547187f69b8eb5a00ab227529de72b7ae95271fe2379e33fa5af0290b7e44462d7e869

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Telekom_Rechnung_August_Online_Nr_19348881402_DE.exe
          Filesize

          1.0MB

          MD5

          810a5ddcb41599b76a5511a566f36969

          SHA1

          b729e90f3f4ce9765aaee8bfb641e1d98088e869

          SHA256

          4c8a4dcb9e47664eeb7e5a02a385820d364bb03ca2fb2ff6c058dd10be2b7337

          SHA512

          e637389f8dfa18834853218a1cc123151b3ccea2cb43c54addc7a34edc024d8432826eb5904304cf8c70b36c19f8594fce20189d0be1f305701e89229f996afd

          Download Submit

        • memory/788-98-0x0000000000000000-mapping.dmp

          Download

        • memory/836-94-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/836-68-0x0000000000000000-mapping.dmp

          Download

        • memory/836-104-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1052-121-0x00000000002B5000-0x00000000002C6000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1052-80-0x000000000047F00E-mapping.dmp

          Download

        • memory/1052-108-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1052-83-0x0000000000070000-0x00000000000F4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1052-87-0x0000000000070000-0x00000000000F4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1052-90-0x0000000000070000-0x00000000000F4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1052-102-0x00000000002B5000-0x00000000002C6000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1052-95-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1580-97-0x0000000000000000-mapping.dmp

          Download

        • memory/1592-110-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/1592-111-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/1592-105-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/1592-106-0x0000000000411654-mapping.dmp

          Download

        • memory/1592-112-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/1692-119-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1692-118-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1692-117-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1692-114-0x0000000000442628-mapping.dmp

          Download

        • memory/1692-113-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/1960-61-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1960-62-0x000000000047F00E-mapping.dmp

          Download

        • memory/1960-58-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1960-55-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1960-60-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1960-56-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1960-64-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1980-93-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1980-103-0x0000000074C80000-0x000000007522B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

          Filesize

          8KB

          Download