hawkeye | 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

General

Target

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Size

606KB
MD5

720d10b1cf1f0ffea760e4614547a371
SHA1

a68f59f07bbacbd75e1951082bf2a66cc3936c9e
SHA256

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
SHA512

2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
SSDEEP

12288:lZ72G7ahUmH2fG+nW6ITjKdXix4ZQ/gyblukHCGrFp:n729UmH2++XIa12lbQYCGBp

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 12 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp	MailPassView
behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1216-77-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1216-78-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1216-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1216-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1216-90-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 12 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-92-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1784-91-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-95-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-96-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-98-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp	WebBrowserPassView

Nirsoft 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1712-63-0x000000000047EA8E-mapping.dmp	Nirsoft
behavioral1/memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1216-77-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1216-78-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1216-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1216-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1216-90-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1784-92-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1784-91-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1784-95-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1784-96-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1784-98-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1568-106-0x000000000047EA8E-mapping.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

WUDHost.exeAcctres.exeAcctres.exe

pid process

940 WUDHost.exe
1676 Acctres.exe
1568 Acctres.exe
Loads dropped DLL 2 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exe

pid process

1956 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
940	WUDHost.exe
1676	Acctres.exe
1568	Acctres.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeAcctres.exe

description	pid	process	target process
PID 1956 set thread context of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1712 set thread context of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 set thread context of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1676 set thread context of 1568	1676	Acctres.exe	Acctres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exe

pid	process
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
940	WUDHost.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exeAcctres.exe

description	pid	process
Token: SeDebugPrivilege	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Token: SeDebugPrivilege	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
Token: SeDebugPrivilege	940	WUDHost.exe
Token: SeDebugPrivilege	1676	Acctres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe

pid process

1712 86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe

pid	process
1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 1712	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
PID 1956 wrote to memory of 940	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	WUDHost.exe
PID 1956 wrote to memory of 940	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	WUDHost.exe
PID 1956 wrote to memory of 940	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	WUDHost.exe
PID 1956 wrote to memory of 940	1956	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	WUDHost.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1216	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 940 wrote to memory of 1676	940	WUDHost.exe	Acctres.exe
PID 940 wrote to memory of 1676	940	WUDHost.exe	Acctres.exe
PID 940 wrote to memory of 1676	940	WUDHost.exe	Acctres.exe
PID 940 wrote to memory of 1676	940	WUDHost.exe	Acctres.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1712 wrote to memory of 1784	1712	86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe	vbc.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe
PID 1676 wrote to memory of 1568	1676	Acctres.exe	Acctres.exe

C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
4⤵
- Executes dropped EXE
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
606KB

MD5
720d10b1cf1f0ffea760e4614547a371

SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e

SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
606KB

MD5
720d10b1cf1f0ffea760e4614547a371

SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e

SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
606KB

MD5
720d10b1cf1f0ffea760e4614547a371

SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e

SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
81cd48fa8f0a70fe3872780af4f96055

SHA1
fe725ffab8ad3be4df9b6205894a665f67668af5

SHA256
66dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991

SHA512
ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
81cd48fa8f0a70fe3872780af4f96055

SHA1
fe725ffab8ad3be4df9b6205894a665f67668af5

SHA256
66dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991

SHA512
ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
606KB

MD5
720d10b1cf1f0ffea760e4614547a371

SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e

SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
6KB

MD5
81cd48fa8f0a70fe3872780af4f96055

SHA1
fe725ffab8ad3be4df9b6205894a665f67668af5

SHA256
66dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991

SHA512
ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7

Download Submit
memory/940-75-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/940-83-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/940-71-0x0000000000000000-mapping.dmp

Download
memory/1216-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-78-0x0000000000411654-mapping.dmp

Download
memory/1216-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1568-113-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-106-0x000000000047EA8E-mapping.dmp

Download
memory/1568-114-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-86-0x0000000000000000-mapping.dmp

Download
memory/1676-89-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-99-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-69-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-63-0x000000000047EA8E-mapping.dmp

Download
memory/1712-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1712-76-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1784-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1784-95-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1784-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1784-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1784-92-0x0000000000442628-mapping.dmp

Download
memory/1956-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1956-56-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-55-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads