hawkeye | 8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db

General

Target

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
Size

618KB
MD5

0d59c5c5ab73017146054c4a6e8baa68
SHA1

1b53f22c5c446733a30dbfb3b3006d27445d3b84
SHA256

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db
SHA512

b6f2ecb61d84cf7229eb4d9aa8e26d358a59c922cccce1e868b16bcea5ae5843301f2fb7c85f8e2ed04d477d01dab37b7088bcaa936ee3413106480490ac615f
SSDEEP

12288:ZLPZ3iFntfXoM5kfS067F1uLRKLXkoRHeU9f+iywXWtLhDCDZAAwp:b3yntzCfUpcLRk06eqBa9CDZAAwp

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 12 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/568-61-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/568-63-0x000000000047EA8E-mapping.dmp	MailPassView
behavioral1/memory/568-62-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/568-65-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/568-60-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/568-67-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1532-77-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1532-76-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1532-80-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1532-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1532-98-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1956-107-0x000000000047EA8E-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 12 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/568-61-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/568-63-0x000000000047EA8E-mapping.dmp	WebBrowserPassView
behavioral1/memory/568-62-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/568-65-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/568-60-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/568-67-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-90-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1824-94-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-95-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-96-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1956-107-0x000000000047EA8E-mapping.dmp	WebBrowserPassView

Nirsoft 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/568-61-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/568-63-0x000000000047EA8E-mapping.dmp	Nirsoft
behavioral1/memory/568-62-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/568-65-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/568-60-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/568-67-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1532-77-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1532-76-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1532-80-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1532-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1824-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1824-90-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1824-94-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1824-95-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1824-96-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1532-98-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1956-107-0x000000000047EA8E-mapping.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

WUDHost.exeAcctres.exeAcctres.exe

pid process

1932 WUDHost.exe
1168 Acctres.exe
1956 Acctres.exe
Loads dropped DLL 2 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeWUDHost.exe

pid process

1192 8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1932	WUDHost.exe
1168	Acctres.exe
1956	Acctres.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeWUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeAcctres.exe

description	pid	process	target process
PID 1192 set thread context of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 568 set thread context of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 set thread context of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 1168 set thread context of 1956	1168	Acctres.exe	Acctres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeWUDHost.exe

pid	process
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
1932	WUDHost.exe
1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeWUDHost.exeAcctres.exe

description	pid	process
Token: SeDebugPrivilege	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
Token: SeDebugPrivilege	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
Token: SeDebugPrivilege	1932	WUDHost.exe
Token: SeDebugPrivilege	1168	Acctres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe

pid process

568 8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe

pid	process
568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 568	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
PID 1192 wrote to memory of 1932	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	WUDHost.exe
PID 1192 wrote to memory of 1932	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	WUDHost.exe
PID 1192 wrote to memory of 1932	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	WUDHost.exe
PID 1192 wrote to memory of 1932	1192	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	WUDHost.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1532	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 1932 wrote to memory of 1168	1932	WUDHost.exe	Acctres.exe
PID 1932 wrote to memory of 1168	1932	WUDHost.exe	Acctres.exe
PID 1932 wrote to memory of 1168	1932	WUDHost.exe	Acctres.exe
PID 1932 wrote to memory of 1168	1932	WUDHost.exe	Acctres.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 568 wrote to memory of 1824	568	8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe	vbc.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe
PID 1168 wrote to memory of 1956	1168	Acctres.exe	Acctres.exe

C:\Users\Admin\AppData\Local\Temp\8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
"C:\Users\Admin\AppData\Local\Temp\8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe
"C:\Users\Admin\AppData\Local\Temp\8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1824

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
4⤵
- Executes dropped EXE
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
618KB

MD5
0d59c5c5ab73017146054c4a6e8baa68

SHA1
1b53f22c5c446733a30dbfb3b3006d27445d3b84

SHA256
8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db

SHA512
b6f2ecb61d84cf7229eb4d9aa8e26d358a59c922cccce1e868b16bcea5ae5843301f2fb7c85f8e2ed04d477d01dab37b7088bcaa936ee3413106480490ac615f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
618KB

MD5
0d59c5c5ab73017146054c4a6e8baa68

SHA1
1b53f22c5c446733a30dbfb3b3006d27445d3b84

SHA256
8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db

SHA512
b6f2ecb61d84cf7229eb4d9aa8e26d358a59c922cccce1e868b16bcea5ae5843301f2fb7c85f8e2ed04d477d01dab37b7088bcaa936ee3413106480490ac615f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
618KB

MD5
0d59c5c5ab73017146054c4a6e8baa68

SHA1
1b53f22c5c446733a30dbfb3b3006d27445d3b84

SHA256
8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db

SHA512
b6f2ecb61d84cf7229eb4d9aa8e26d358a59c922cccce1e868b16bcea5ae5843301f2fb7c85f8e2ed04d477d01dab37b7088bcaa936ee3413106480490ac615f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
87c7263aa4cb3444ef282661c4587035

SHA1
5e879db395d5ec83d7477c04fbb2fa63c6b0a6d9

SHA256
e84385b30e77b96b9461e34993a399cdcefbdea475a1ef3eb974d0744a42b46c

SHA512
1bbd4d4caad626282802e22a51211f0eb6afb08406eb8ac7868b0c06496d661c2c6ef67a506bf25f2a8296bbce82825fe00d67eda0b3caa40c9f30b4008f3426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
87c7263aa4cb3444ef282661c4587035

SHA1
5e879db395d5ec83d7477c04fbb2fa63c6b0a6d9

SHA256
e84385b30e77b96b9461e34993a399cdcefbdea475a1ef3eb974d0744a42b46c

SHA512
1bbd4d4caad626282802e22a51211f0eb6afb08406eb8ac7868b0c06496d661c2c6ef67a506bf25f2a8296bbce82825fe00d67eda0b3caa40c9f30b4008f3426

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
618KB

MD5
0d59c5c5ab73017146054c4a6e8baa68

SHA1
1b53f22c5c446733a30dbfb3b3006d27445d3b84

SHA256
8af01645a0b49a14a5659ddddad8dd28e55eb33c43bb5503530c5e72515ac5db

SHA512
b6f2ecb61d84cf7229eb4d9aa8e26d358a59c922cccce1e868b16bcea5ae5843301f2fb7c85f8e2ed04d477d01dab37b7088bcaa936ee3413106480490ac615f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
13KB

MD5
87c7263aa4cb3444ef282661c4587035

SHA1
5e879db395d5ec83d7477c04fbb2fa63c6b0a6d9

SHA256
e84385b30e77b96b9461e34993a399cdcefbdea475a1ef3eb974d0744a42b46c

SHA512
1bbd4d4caad626282802e22a51211f0eb6afb08406eb8ac7868b0c06496d661c2c6ef67a506bf25f2a8296bbce82825fe00d67eda0b3caa40c9f30b4008f3426

Download Submit
memory/568-63-0x000000000047EA8E-mapping.dmp

Download
memory/568-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-69-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/568-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-82-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/568-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/568-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1168-86-0x0000000000000000-mapping.dmp

Download
memory/1168-99-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-93-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-104-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1192-56-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-55-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-77-0x0000000000411654-mapping.dmp

Download
memory/1532-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-94-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1824-95-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1824-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1824-90-0x0000000000442628-mapping.dmp

Download
memory/1824-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1932-83-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-75-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download
memory/1956-107-0x000000000047EA8E-mapping.dmp

Download
memory/1956-114-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-115-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads