Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 23:20
General
-
Target
d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be.exe
-
Size
623KB
-
MD5
149a38cff0ea0feabdfb1fdd470f0918
-
SHA1
9e9c3fa9e7c01b0c1377c3a6dec3eb6bb9616d8f
-
SHA256
d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be
-
SHA512
7dab5590b0434d38c703b9b2eb0144d3736650823b5f5b16e53cfdd46db560bc88db3792642bc34584b721fad1b2eeb9f51d47a6e0f849e3618a7c8afe0d0e6d
-
SSDEEP
12288:czV0rxW0RcSEjiPbYEiOLaSqFFXS//d/nS2J+mMkh/A/PjA8SytbrU3:2VUU08iPsEiFteXlGkpApbr
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
admin007
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
-
Nirsoft 17 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be.exe"C:\Users\Admin\AppData\Local\Temp\d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be.exe"C:\Users\Admin\AppData\Local\Temp\d3e62b5a95708fdbac90f553c822246ffc83118c37061c2e175309b49887d2be.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/268-90-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/268-92-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/268-89-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/268-86-0x0000000000442628-mapping.dmp
-
memory/268-85-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1016-75-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1016-55-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1016-56-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1016-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1200-83-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1200-78-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1200-84-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1200-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1200-79-0x0000000000411654-mapping.dmp
-
memory/1584-77-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1584-73-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-76-0x0000000074590000-0x0000000074B3B000-memory.dmpFilesize
5.7MB
-
memory/1584-66-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-70-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-65-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-64-0x000000000047EFAE-mapping.dmp
-
memory/1584-62-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-60-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-58-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB
-
memory/1584-57-0x0000000000180000-0x0000000000204000-memory.dmpFilesize
528KB