hawkeye | 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c

Analysis

max time kernel
169s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Size

503KB
MD5

71d29fb4a68ef4553d6452388c6e158a
SHA1

6e23f93e2289211995ff2e028eb7487e8e8738a7
SHA256

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
SHA512

b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
SSDEEP

12288:luqP9L79Hef1kBVvRhQePRPN9qmNuetx:lu0lefEVbHPRPqE/tx

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
bruda00

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft WebBrowserPassView 12 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-63-0x00000000004669BE-mapping.dmp	WebBrowserPassView
behavioral1/memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-82-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1640-101-0x00000000004669BE-mapping.dmp	WebBrowserPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmp	Nirsoft
behavioral1/memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmp	Nirsoft
behavioral1/memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmp	Nirsoft
behavioral1/memory/1784-63-0x00000000004669BE-mapping.dmp	Nirsoft
behavioral1/memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmp	Nirsoft
behavioral1/memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmp	Nirsoft
behavioral1/memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1560-82-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1640-101-0x00000000004669BE-mapping.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeatiesrx.exeIpOverUsbSvrc.exe

pid process

1936 IpOverUsbSvrc.exe
1980 atiesrx.exe
1640 atiesrx.exe
1212 IpOverUsbSvrc.exe
Loads dropped DLL 3 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exe

pid process

1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1936 IpOverUsbSvrc.exe
1980 atiesrx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1936	IpOverUsbSvrc.exe
1980	atiesrx.exe
1640	atiesrx.exe
1212	IpOverUsbSvrc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeatiesrx.exe

description	pid	process	target process
PID 1076 set thread context of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1784 set thread context of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1980 set thread context of 1640	1980	atiesrx.exe	atiesrx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exe

pid	process
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1936	IpOverUsbSvrc.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1936	IpOverUsbSvrc.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
1936	IpOverUsbSvrc.exe
1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Token: SeDebugPrivilege	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Token: SeDebugPrivilege	1936	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1980	atiesrx.exe
Token: SeDebugPrivilege	1212	IpOverUsbSvrc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe

pid process

1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe

pid	process
1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process	target process
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1784	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
PID 1076 wrote to memory of 1936	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	IpOverUsbSvrc.exe
PID 1076 wrote to memory of 1936	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	IpOverUsbSvrc.exe
PID 1076 wrote to memory of 1936	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	IpOverUsbSvrc.exe
PID 1076 wrote to memory of 1936	1076	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	IpOverUsbSvrc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1784 wrote to memory of 1560	1784	0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe	vbc.exe
PID 1936 wrote to memory of 1980	1936	IpOverUsbSvrc.exe	atiesrx.exe
PID 1936 wrote to memory of 1980	1936	IpOverUsbSvrc.exe	atiesrx.exe
PID 1936 wrote to memory of 1980	1936	IpOverUsbSvrc.exe	atiesrx.exe
PID 1936 wrote to memory of 1980	1936	IpOverUsbSvrc.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1640	1980	atiesrx.exe	atiesrx.exe
PID 1980 wrote to memory of 1212	1980	atiesrx.exe	IpOverUsbSvrc.exe
PID 1980 wrote to memory of 1212	1980	atiesrx.exe	IpOverUsbSvrc.exe
PID 1980 wrote to memory of 1212	1980	atiesrx.exe	IpOverUsbSvrc.exe
PID 1980 wrote to memory of 1212	1980	atiesrx.exe	IpOverUsbSvrc.exe

C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
"C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
"C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1560

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe"
4⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
503KB

MD5
71d29fb4a68ef4553d6452388c6e158a

SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7

SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c

SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
503KB

MD5
71d29fb4a68ef4553d6452388c6e158a

SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7

SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c

SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
503KB

MD5
71d29fb4a68ef4553d6452388c6e158a

SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7

SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c

SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
12KB

MD5
179a91e54fb0091a20e15ba65027f99e

SHA1
169194c4f9930bc55c59a6335a765f010b6100f2

SHA256
fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468

SHA512
987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
503KB

MD5
71d29fb4a68ef4553d6452388c6e158a

SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7

SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c

SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f

Download Submit
memory/1076-93-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1076-56-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-114-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-115-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-109-0x0000000000000000-mapping.dmp

Download
memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-82-0x0000000000442628-mapping.dmp

Download
memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1640-101-0x00000000004669BE-mapping.dmp

Download
memory/1640-113-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-57-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-76-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-74-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-63-0x00000000004669BE-mapping.dmp

Download
memory/1936-70-0x0000000000000000-mapping.dmp

Download
memory/1936-94-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-75-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-77-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-88-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-92-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-81-0x0000000000000000-mapping.dmp

Download