Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-11-2022 17:20
General
-
Target
4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe
-
Size
643KB
-
MD5
20553eaee468685d1fa0a7f2cb2db74b
-
SHA1
b62e9c76f8aa351618eb2321eeeb1fd5ae14ace6
-
SHA256
4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed
-
SHA512
352b0b3bfcd207a661b6886e1b2b9e902b4bb2d14c588fc70e387ecfc95b8094142f7404d1313f114554c24fb6b4e0ae351116cf50594ce49c042c0f171a2052
-
SSDEEP
12288:MBAcMVBAV4mfT/thn5D4XN0NzutaVlG4O+v270UN:PVVBABT/thn1mN0NzYgKt
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"C:\Users\Admin\AppData\Local\Temp\4ad8a8ab92287106e19bb7e910b83c10912da964991b72e853562aabacb033ed.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
-
-
-
Filesize
5.7MB
-
Filesize
528KB
-
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB