Overview

overview

10

Static

static

7afc0c65eb...dd.exe

windows7-x64

10

7afc0c65eb...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe

  • Size

    423KB

  • MD5

    1fd12be39eaf609a4fc0c70121b32f92

  • SHA1

    fe9f48bc1117329e2792d555260d1231dafb7f01

  • SHA256

    7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

  • SHA512

    2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

  • SSDEEP

    12288:esA+w6vdwRZQ8s85vrY4TTO1EYiGgVZ9fN0G:MYSvBTK1EF8

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    dzwbhatvaehtwxku

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 12 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 12 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 17 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe
    "C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe
      "C:\Users\Admin\AppData\Local\Temp\7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          4⤵
          • Executes dropped EXE
          • Deletes itself
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:944
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            5⤵
              PID:2028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
      Filesize

      102B

      MD5

      b2b5468b146afa334d28242960998109

      SHA1

      ddcd732f6b80ff013f8742857a3a07f8deb086ca

      SHA256

      0056ae900ece5326673320ecd173a2a04b732ef0f7b7c36b65c3dcb86436f520

      SHA512

      19c1accae5837678dfb2377b0f5d3ddd7a5ef6710666dea549fed0de7d1c65c05ac6d0efb487c0479cebaca369456f12461300f1b8dda39dfad79191e3ba178b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      423KB

      MD5

      1fd12be39eaf609a4fc0c70121b32f92

      SHA1

      fe9f48bc1117329e2792d555260d1231dafb7f01

      SHA256

      7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

      SHA512

      2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      423KB

      MD5

      1fd12be39eaf609a4fc0c70121b32f92

      SHA1

      fe9f48bc1117329e2792d555260d1231dafb7f01

      SHA256

      7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

      SHA512

      2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      423KB

      MD5

      1fd12be39eaf609a4fc0c70121b32f92

      SHA1

      fe9f48bc1117329e2792d555260d1231dafb7f01

      SHA256

      7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

      SHA512

      2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

      Download Submit
    • \Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      423KB

      MD5

      1fd12be39eaf609a4fc0c70121b32f92

      SHA1

      fe9f48bc1117329e2792d555260d1231dafb7f01

      SHA256

      7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

      SHA512

      2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

      Download Submit
    • \Users\Admin\AppData\Roaming\Windows Update.exe
      Filesize

      423KB

      MD5

      1fd12be39eaf609a4fc0c70121b32f92

      SHA1

      fe9f48bc1117329e2792d555260d1231dafb7f01

      SHA256

      7afc0c65ebc21fc1419490508c8179ad5c4649635c4cc65fa52ca10697cbe4dd

      SHA512

      2bc229d010fb42cf1a025f55f4b3bfdc452b0725b361fcd96d716475b817cd4872d67f1b0004066fa183896a29e48261fcc25a7d73188f8353392707b9fb700d

      Download Submit
    • memory/820-112-0x0000000000DE5000-0x0000000000DF6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/820-101-0x0000000000DE5000-0x0000000000DF6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/820-85-0x000000000047EAEE-mapping.dmp
      Download
    • memory/820-95-0x00000000746D0000-0x0000000074C7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/820-93-0x00000000746D0000-0x0000000074C7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/944-102-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/944-97-0x0000000000411654-mapping.dmp
      Download
    • memory/944-96-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/944-100-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/944-103-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1492-77-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1492-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1492-88-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1552-54-0x0000000075781000-0x0000000075783000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1552-55-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1552-56-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1552-69-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1676-61-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-57-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-63-0x000000000047EAEE-mapping.dmp
      Download
    • memory/1676-62-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-67-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-60-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-58-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-65-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1676-76-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1676-70-0x0000000074740000-0x0000000074CEB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2028-108-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2028-109-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2028-111-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2028-105-0x0000000000442628-mapping.dmp
      Download
    • memory/2028-104-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download