Analysis
-
max time kernel
148s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24-11-2022 13:27
General
-
Target
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
-
Size
561KB
-
MD5
e2edbdf4559a85cd198c10814871a6bc
-
SHA1
6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
-
SHA256
0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
-
SHA512
a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
SSDEEP
12288:DHkGcrDdXoIu8YVlGxYl/5ozNfCOQgeYSSZiCJBp:7RciIu8YVlSe/5ozNmYSqi+p
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
sasuke2014
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
-
Nirsoft 10 IoCs
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD52604d7ffddc312ead7c9c41be977afe8
SHA1c7c7658bd8d4da6a3737d5bfaa4607d22ec44e53
SHA25632d557da5c5805f32d343689da4fdadadc887c6a95e1a099883ce9694d501c49
SHA5122812c90efb8305df394b8771fb95bec938893726192aa25272dc5afb6ec2d2ab2c5eb087da26130c2740db9f6890469392f1f55639a2624179b0c97e01981c1b
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
561KB
MD5e2edbdf4559a85cd198c10814871a6bc
SHA16fdc576b9a9bedf6c7ce20e827ca1a93f1267d55
SHA2560e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda
SHA512a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea
-
memory/1068-58-0x0000000000000000-mapping.dmp
-
memory/1068-63-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1068-64-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/1676-80-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-78-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-77-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1676-74-0x0000000000442628-mapping.dmp
-
memory/1676-73-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2012-72-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-71-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-70-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2012-67-0x0000000000411654-mapping.dmp
-
memory/2012-66-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2028-56-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/2028-62-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/2028-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2028-55-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB