Overview

overview

10

Static

static

b23d34467d...03.exe

windows7-x64

10

b23d34467d...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

  • Size

    959KB

  • MD5

    a7b3d8bf5e1016eb03af417e28b3405a

  • SHA1

    865a61dfc45a5ed708106055de5ff19a76349d2d

  • SHA256

    b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603

  • SHA512

    cb1a3e3f3b6f1a9cf9fd2e2bb0f7f04923289708b717979f31967a32f4715eff8d90bb1b624a40e1f27e83240071cd2540df41c56e2b9bd335d8037fad699bec

  • SSDEEP

    12288:G1uKSavywZ8oPEVzTEnUycspBKugd7uDjde1sKcilllPqwHiZEIUbWSDz45ohOk5:GMKS6ywZHDp6dge1sKgwHMExe53ckq

Score
10/10
hawkeyeponycollectiondiscoverykeyloggerratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://eileen.3eeweb.com/1/1/gate.php

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
    "C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\CMD.exe
      "CMD"
      2⤵
        PID:212
      • C:\Windows\SysWOW64\CMD.exe
        "CMD"
        2⤵
          PID:220
        • C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
          "C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
            "C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"
            3⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            • outlook_win_path
            PID:2252
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            3⤵
            • Accesses Microsoft Outlook accounts
            PID:2760
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2388

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
        Filesize

        34KB

        MD5

        9870cf3bfa9d28e60cada6d16b42c2a7

        SHA1

        dacfbe479063f4d771d05ddc92c35e9b72e9d34f

        SHA256

        a141d1b4b207f8d350f67ebbecc422909720d4fa2d520e66182224c361ccdab0

        SHA512

        63667d96d923d361f7e68dc517fd693e76be4c51cf883621463a33b6ce54d47569492cd8ae75996efb37222d97ac86db54b99bea92a24d2b404ef813b7e9f52a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
        Filesize

        34KB

        MD5

        9870cf3bfa9d28e60cada6d16b42c2a7

        SHA1

        dacfbe479063f4d771d05ddc92c35e9b72e9d34f

        SHA256

        a141d1b4b207f8d350f67ebbecc422909720d4fa2d520e66182224c361ccdab0

        SHA512

        63667d96d923d361f7e68dc517fd693e76be4c51cf883621463a33b6ce54d47569492cd8ae75996efb37222d97ac86db54b99bea92a24d2b404ef813b7e9f52a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        Filesize

        3KB

        MD5

        f94dc819ca773f1e3cb27abbc9e7fa27

        SHA1

        9a7700efadc5ea09ab288544ef1e3cd876255086

        SHA256

        a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

        SHA512

        72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

        Download Submit

      • memory/212-137-0x0000000000000000-mapping.dmp

        Download

      • memory/220-138-0x0000000000000000-mapping.dmp

        Download

      • memory/2252-144-0x0000000000000000-mapping.dmp

        Download

      • memory/2252-147-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/2252-153-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/2388-157-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2388-155-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2388-158-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2388-154-0x0000000000000000-mapping.dmp

        Download

      • memory/2488-143-0x0000000074E50000-0x0000000075401000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2488-135-0x0000000074E50000-0x0000000075401000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2488-136-0x0000000074E50000-0x0000000075401000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2760-151-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2760-152-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2760-149-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2760-148-0x0000000000000000-mapping.dmp

        Download

      • memory/4248-142-0x0000000074E50000-0x0000000075401000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4248-141-0x0000000074E50000-0x0000000075401000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4248-140-0x0000000000400000-0x000000000049A000-memory.dmp

        Filesize

        616KB

        Download

      • memory/4248-139-0x0000000000000000-mapping.dmp

        Download