hawkeye | 25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

Analysis

max time kernel
158s
max time network
167s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
Size

1.2MB
MD5

728bcb795d2c5777577aa820cdfe9088
SHA1

81b0fa677aa8975b56f02abd9cce56bd912fde51
SHA256

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02
SHA512

c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a
SSDEEP

24576:404Yt75R+59L8vamkFE9rdmDkYOrxVBB29gsInQ8MBDlsl7gOHdx5V8:t4Y55A5x8vmC9rdmIjxjB2Mnwe5V8

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 20 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/572-60-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/572-62-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/572-63-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/572-64-0x0000000000485A7E-mapping.dmp	MailPassView
behavioral1/memory/572-66-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/572-68-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/316-89-0x0000000000485A7E-mapping.dmp	MailPassView
behavioral1/memory/1672-104-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1672-106-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1672-108-0x0000000000485A5E-mapping.dmp	MailPassView
behavioral1/memory/1672-107-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1672-112-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1672-114-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1756-122-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1756-123-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1344-134-0x0000000000485A7E-mapping.dmp	MailPassView
behavioral1/memory/1756-143-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1756-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1756-150-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1756-151-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 14 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/572-60-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-62-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-63-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-64-0x0000000000485A7E-mapping.dmp	WebBrowserPassView
behavioral1/memory/572-66-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/572-68-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/316-89-0x0000000000485A7E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1672-104-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1672-106-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1672-108-0x0000000000485A5E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1672-107-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1672-112-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1672-114-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1344-134-0x0000000000485A7E-mapping.dmp	WebBrowserPassView

Nirsoft 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/572-60-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/572-62-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/572-63-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/572-64-0x0000000000485A7E-mapping.dmp	Nirsoft
behavioral1/memory/572-66-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/572-68-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/316-89-0x0000000000485A7E-mapping.dmp	Nirsoft
behavioral1/memory/1672-104-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1672-106-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1672-108-0x0000000000485A5E-mapping.dmp	Nirsoft
behavioral1/memory/1672-107-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1672-112-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1672-114-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1756-122-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1756-123-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1344-134-0x0000000000485A7E-mapping.dmp	Nirsoft
behavioral1/memory/1756-143-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1756-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1756-150-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1756-151-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

owodeoo.exeWindows Update.exeowodeoo.exeowodeoo.exeWindows Update.exe

pid process

1928 owodeoo.exe
832 Windows Update.exe
1708 owodeoo.exe
1672 owodeoo.exe
1344 Windows Update.exe

pid	process
1928	owodeoo.exe
832	Windows Update.exe
1708	owodeoo.exe
1672	owodeoo.exe
1344	Windows Update.exe

Loads dropped DLL 5 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeowodeoo.exeWindows Update.exe

pid	process
1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
1928	owodeoo.exe
1928	owodeoo.exe
832	Windows Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeowodeoo.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeWindows Update.exe

description	pid	process	target process
PID 1392 set thread context of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 set thread context of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1928 set thread context of 1672	1928	owodeoo.exe	owodeoo.exe
PID 316 set thread context of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 832 set thread context of 1344	832	Windows Update.exe	Windows Update.exe
PID 316 set thread context of 288	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeowodeoo.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeWindows Update.exe

pid	process
1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
1928	owodeoo.exe
1928	owodeoo.exe
1928	owodeoo.exe
1928	owodeoo.exe
316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
832	Windows Update.exe
832	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeowodeoo.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeWindows Update.exe

description	pid	process
Token: SeDebugPrivilege	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
Token: SeDebugPrivilege	1928	owodeoo.exe
Token: SeDebugPrivilege	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
Token: SeDebugPrivilege	832	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe

pid process

316 25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe

pid	process
316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeowodeoo.exe25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exeWindows Update.exe

description	pid	process	target process
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 572	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 572 wrote to memory of 832	572	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	Windows Update.exe
PID 1392 wrote to memory of 1928	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	owodeoo.exe
PID 1392 wrote to memory of 1928	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	owodeoo.exe
PID 1392 wrote to memory of 1928	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	owodeoo.exe
PID 1392 wrote to memory of 1928	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	owodeoo.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1392 wrote to memory of 316	1392	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
PID 1928 wrote to memory of 1708	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1708	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1708	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1708	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 1928 wrote to memory of 1672	1928	owodeoo.exe	owodeoo.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 316 wrote to memory of 1756	316	25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe	vbc.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe
PID 832 wrote to memory of 1344	832	Windows Update.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
"C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
"C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\AppData\Local\Temp\owodeoo.exe
"C:\Users\Admin\AppData\Local\Temp\owodeoo.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\owodeoo.exe
"C:\Users\Admin\AppData\Local\Temp\owodeoo.exe"
3⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\owodeoo.exe
"C:\Users\Admin\AppData\Local\Temp\owodeoo.exe"
3⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe
"C:\Users\Admin\AppData\Local\Temp\25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
45B

MD5
20aa8ef06d6b5aa1901c5c00ce027b2e

SHA1
20a9c3e7a90e0bf314b3e45fa2703e74b7059b35

SHA256
6b69c38179d47b7ab4be2d8efcd86e3a9fb0607e7707d9f6a64ecc3160088862

SHA512
3320297f6d860481fd181c0a81d2bcdf9f09bd6e383c3b8ca4c957cb8a0f529e301d58a7de05cc4b5cd4e3e3172de5d5f34f1a5c6c203595290561711032276e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
e2c0c33990954817a4de92507d21e9df

SHA1
5c89bf5937b07c95f9a76cabc98e0ea1c0287d1f

SHA256
85a3621023097910ab52497cd7d0dbdafea871006ca745e0f1be235963b4ae69

SHA512
acacc04868c394c5758461d6bd0fcab5aaed7815c58b39e812fb020c781f4aeb05f5e29774382989a882d5dee300a68d08d59314f695be4cc542c6766c4af3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
C:\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
C:\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
C:\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.2MB

MD5
728bcb795d2c5777577aa820cdfe9088

SHA1
81b0fa677aa8975b56f02abd9cce56bd912fde51

SHA256
25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

SHA512
c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.2MB

MD5
728bcb795d2c5777577aa820cdfe9088

SHA1
81b0fa677aa8975b56f02abd9cce56bd912fde51

SHA256
25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

SHA512
c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.2MB

MD5
728bcb795d2c5777577aa820cdfe9088

SHA1
81b0fa677aa8975b56f02abd9cce56bd912fde51

SHA256
25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

SHA512
c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
3B

MD5
3fe94a002317b5f9259f82690aeea4cd

SHA1
81c69212880f2e985e1dedf869c2483ece723d68

SHA256
7a20311cf7a4b222d436424480bc65dd0f9d2cefcbbb1fa148ca0d7e1d5bb55a

SHA512
9850cbd861e39c3263a5687e48496e173c91f5bc3f294e1d38fff583e4d0993afaa9e22e1aa4bb4321cce3dc76b0ef13dc2b9d6b68f38a03be1f0be4d2b9b1cc

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt

Filesize
102B

MD5
e2c0c33990954817a4de92507d21e9df

SHA1
5c89bf5937b07c95f9a76cabc98e0ea1c0287d1f

SHA256
85a3621023097910ab52497cd7d0dbdafea871006ca745e0f1be235963b4ae69

SHA512
acacc04868c394c5758461d6bd0fcab5aaed7815c58b39e812fb020c781f4aeb05f5e29774382989a882d5dee300a68d08d59314f695be4cc542c6766c4af3a1

Download Submit
\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
\Users\Admin\AppData\Local\Temp\owodeoo.exe

Filesize
590KB

MD5
166c87cc88364cf41e7ddffa24fd7334

SHA1
f6e80400b442fdac7bd6364da1dcb0ca18316946

SHA256
a3b7660f22f74be5bf44352284bce45dbd61ae08bb22e1c20aa75f177d017a52

SHA512
f4c658b9e53698c552152eb22ce2f2820ea455e3aec7426d705146d626189043b5287706983c40d8664c4737ad425ad065b09af26b37c20656f334bbaeb3c487

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.2MB

MD5
728bcb795d2c5777577aa820cdfe9088

SHA1
81b0fa677aa8975b56f02abd9cce56bd912fde51

SHA256
25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

SHA512
c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.2MB

MD5
728bcb795d2c5777577aa820cdfe9088

SHA1
81b0fa677aa8975b56f02abd9cce56bd912fde51

SHA256
25f433acacb2543ed3dd61be818524088468451b96710ac9799200391f5d9f02

SHA512
c5da28ae275715a35d43b60a1596247edd567248c04c4e17ea885a51a549fc87f82af25debaf828610f2fc143bcd9d22259744f1b346b752d9bf8081bc212d2a

Download Submit
memory/288-141-0x00000000739C2F9C-mapping.dmp

Download
memory/316-148-0x0000000002115000-0x0000000002126000-memory.dmp

Filesize
68KB

Download
memory/316-130-0x0000000002115000-0x0000000002126000-memory.dmp

Filesize
68KB

Download
memory/316-109-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/316-120-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/316-89-0x0000000000485A7E-mapping.dmp

Download
memory/572-68-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-81-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/572-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-70-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/572-63-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-66-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/572-64-0x0000000000485A7E-mapping.dmp

Download
memory/832-73-0x0000000000000000-mapping.dmp

Download
memory/832-91-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/832-118-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-144-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-134-0x0000000000485A7E-mapping.dmp

Download
memory/1344-149-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1392-56-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-101-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1672-104-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1672-121-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-106-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1672-108-0x0000000000485A5E-mapping.dmp

Download
memory/1672-117-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-114-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1672-112-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1672-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1756-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-123-0x0000000000411654-mapping.dmp

Download
memory/1756-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-119-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-93-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-74-0x0000000000000000-mapping.dmp

Download