hawkeye | 0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd

System Information Discovery

Processes:

0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 whatismyipaddress.com

flow	ioc
50	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 5056 set thread context of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 4124 set thread context of 1204	4124	Windows Update.exe	Windows Update.exe
PID 1204 set thread context of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 set thread context of 3040	1204	Windows Update.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2276 3040 WerFault.exe vbc.exe
2144 3040 WerFault.exe vbc.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
2276	3040	WerFault.exe	vbc.exe
2144	3040	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	process
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe
1204	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Windows Update.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	1204	Windows Update.exe
Token: SeRestorePrivilege	2316	dw20.exe
Token: SeBackupPrivilege	2316	dw20.exe
Token: SeBackupPrivilege	2316	dw20.exe
Token: SeBackupPrivilege	2316	dw20.exe
Token: SeBackupPrivilege	2316	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1204 Windows Update.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exeWindows Update.exeWindows Update.exevbc.exe

description	pid	process	target process
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 5056 wrote to memory of 372	5056	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
PID 372 wrote to memory of 4124	372	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	Windows Update.exe
PID 372 wrote to memory of 4124	372	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	Windows Update.exe
PID 372 wrote to memory of 4124	372	0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 4124 wrote to memory of 1204	4124	Windows Update.exe	Windows Update.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 4620	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 3040	1204	Windows Update.exe	vbc.exe
PID 1204 wrote to memory of 2316	1204	Windows Update.exe	dw20.exe
PID 1204 wrote to memory of 2316	1204	Windows Update.exe	dw20.exe
PID 1204 wrote to memory of 2316	1204	Windows Update.exe	dw20.exe
PID 3040 wrote to memory of 2276	3040	vbc.exe	WerFault.exe
PID 3040 wrote to memory of 2276	3040	vbc.exe	WerFault.exe
PID 3040 wrote to memory of 2276	3040	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
"C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe
"C:\Users\Admin\AppData\Local\Temp\0c903e996cfd8cf1d1e89a4f5f954a0f4a3211e3b6ffc54af6f7ebb719945dfd.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 188
6⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 188
6⤵
- Program crash
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2440
5⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3040 -ip 3040
1⤵
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Collection

Data from Local System