Overview

overview

10

Static

static

a777dc76f8...d1.exe

windows7-x64

10

a777dc76f8...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe

  • Size

    640KB

  • MD5

    6615e3fdf098a182b254fd943a62a474

  • SHA1

    790213ad034281437f7887f17a2ae97b73f8131f

  • SHA256

    a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1

  • SHA512

    3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e

  • SSDEEP

    12288:rFY0DADILZoNEFKED5oJx/Ij9FD/aWWhsaExq:rF/AyZgEcEKK9FD/anil

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    general123

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
    "C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
        3⤵
        • Adds Run key to start application
        PID:1716
    • C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
      "C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"
      2⤵
        PID:828
      • C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe
        "C:\Users\Admin\AppData\Local\Temp\a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Users\Admin\AppData\Roaming\Windows Update.exe
            "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:204
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
              5⤵
              • Accesses Microsoft Outlook accounts
              PID:4808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
      Filesize

      102B

      MD5

      c75d6d0d293ffb4995427e9aa537b095

      SHA1

      0fe0b1763179846ae78f0ceb8108a8a3ceb74698

      SHA256

      21ce126b4cf434ba1bf468087a69ce18945fb98ab91a0803e000cef191fb652c

      SHA512

      ec50a0cfeb2d09b242032fdaf44e3052f0ed04920587d387e6d27c1325cf00ba5abc9cb4d3770eaf56b3602a8bb8cb07edeeec76c9c933a45bae6476daee2af2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      640KB

      MD5

      6615e3fdf098a182b254fd943a62a474

      SHA1

      790213ad034281437f7887f17a2ae97b73f8131f

      SHA256

      a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1

      SHA512

      3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      640KB

      MD5

      6615e3fdf098a182b254fd943a62a474

      SHA1

      790213ad034281437f7887f17a2ae97b73f8131f

      SHA256

      a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1

      SHA512

      3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      640KB

      MD5

      6615e3fdf098a182b254fd943a62a474

      SHA1

      790213ad034281437f7887f17a2ae97b73f8131f

      SHA256

      a777dc76f8de9d1447220b5c10fcb043d1cf2294d9baefc769fa40642d68a8d1

      SHA512

      3701811297f2e4d35ebf59fbbbe91b9d2cde597d7a8abf35651835557664cdd28fcd180d09a063f891f14cea6c26f0f8dc81e86f30fb509916b2c0474a07727e

      Download Submit
    • memory/204-146-0x0000000000000000-mapping.dmp
      Download
    • memory/204-152-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/204-150-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/828-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1084-135-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1084-139-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1084-132-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1716-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2652-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2860-138-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/2860-144-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2860-140-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2860-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3716-145-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3716-149-0x0000000075210000-0x00000000757C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3716-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4808-153-0x0000000000000000-mapping.dmp
      Download
    • memory/4808-154-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4808-156-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/4808-157-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download