Overview

overview

10

Static

static

cd32ecd3b6...7a.exe

windows7-x64

10

cd32ecd3b6...7a.exe

windows10-2004-x64

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a.exe

  • Size

    524KB

  • MD5

    7efa1b4a25f12c86a801af2fbc61011e

  • SHA1

    9e9c9a463a461045520792024dfcf27909587777

  • SHA256

    cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

  • SHA512

    86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

  • SSDEEP

    6144:EPoU2J3SLwlmbG2odCHQr7tCw6/dj+ksNqizN4XW0KCTBtN6eTsjHhn+aDW:EQ3WwUbvodC+7Mw6l0cbTB6ysjP

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 12 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 12 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 17 IoCs
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a.exe
    "C:\Users\Admin\AppData\Local\Temp\cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          4⤵
          • Executes dropped EXE
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
            "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
              "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
                7⤵
                • Accesses Microsoft Outlook accounts
                PID:1996
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
                7⤵
                  PID:1912
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                  dw20.exe -x -s 1484
                  7⤵
                    PID:572
          • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
            "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
            3⤵
              PID:660
            • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
              "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
              3⤵
                PID:376
              • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
                "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
                3⤵
                  PID:1160
                • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
                  "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
                  3⤵
                    PID:1640

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
                Filesize

                63B

                MD5

                38ddfffbf1903d6736e7b286bf7bd5a7

                SHA1

                ba50b8b3a26cf85370eda010a4debdc9f17d1aac

                SHA256

                1089465f9fb8c30c6c2142102ef6a85b5313cbb77b977f6d4086900e757eb43b

                SHA512

                5c59db24a2319a81979c8c3a4d29fa87015276e5a56f51d15c83124632c77d36aaad54ae56f7e0ebe4e57014912c59f2302b0a84da19b7369733d98e62b59cd9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • \Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • \Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • \Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • \Users\Admin\AppData\Roaming\Windows Update.exe
                Filesize

                524KB

                MD5

                7efa1b4a25f12c86a801af2fbc61011e

                SHA1

                9e9c9a463a461045520792024dfcf27909587777

                SHA256

                cd32ecd3b674d4ea728ab1526f9f39886bdba30e5ebf2f7d1cb9f3a8395fd97a

                SHA512

                86e99f6e3356c1a1dc7c55922e3ede76cc7aa7a9f16c5ae72c82145722d15a0a53dc7600c6a0c62537220b09a4633458ad353d80d77ec2bd5e898541383b33f5

                Download Submit

              • memory/572-130-0x0000000000000000-mapping.dmp

                Download

              • memory/576-67-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-74-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-76-0x0000000074B60000-0x000000007510B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/576-69-0x0000000000480BBE-mapping.dmp

                Download

              • memory/576-72-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-65-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-82-0x0000000074B60000-0x000000007510B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/576-62-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-60-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/576-58-0x0000000000400000-0x0000000000488000-memory.dmp

                Filesize

                544KB

                Download

              • memory/736-71-0x0000000074BD0000-0x000000007517B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/736-55-0x0000000000000000-mapping.dmp

                Download

              • memory/736-59-0x0000000074BD0000-0x000000007517B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/864-78-0x0000000000000000-mapping.dmp

                Download

              • memory/864-88-0x0000000074BC0000-0x000000007516B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1488-100-0x0000000000480BBE-mapping.dmp

                Download

              • memory/1488-126-0x0000000000650000-0x00000000006D6000-memory.dmp

                Filesize

                536KB

                Download

              • memory/1488-117-0x0000000000650000-0x00000000006D6000-memory.dmp

                Filesize

                536KB

                Download

              • memory/1488-109-0x00000000747E0000-0x0000000074D8B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1488-110-0x00000000747E0000-0x0000000074D8B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1616-86-0x0000000000000000-mapping.dmp

                Download

              • memory/1616-104-0x0000000074B40000-0x00000000750EB000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1700-57-0x0000000074BD0000-0x000000007517B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1700-54-0x0000000076651000-0x0000000076653000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1912-129-0x0000000000400000-0x0000000000458000-memory.dmp

                Filesize

                352KB

                Download

              • memory/1912-119-0x0000000000400000-0x0000000000458000-memory.dmp

                Filesize

                352KB

                Download

              • memory/1912-120-0x0000000000442628-mapping.dmp

                Download

              • memory/1912-123-0x0000000000400000-0x0000000000458000-memory.dmp

                Filesize

                352KB

                Download

              • memory/1912-125-0x0000000000400000-0x0000000000458000-memory.dmp

                Filesize

                352KB

                Download

              • memory/1996-112-0x0000000000411654-mapping.dmp

                Download

              • memory/1996-127-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1996-111-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1996-118-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1996-115-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download