Overview

overview

10

Static

static

2daabbbfe9...46.exe

windows7-x64

10

2daabbbfe9...46.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    106s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

  • Size

    576KB

  • MD5

    4fbf3ef1ae2a1e7a4ac62217833fd135

  • SHA1

    b1e95acd1d6c5ece5009aad16e200391f04e371b

  • SHA256

    2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46

  • SHA512

    becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1

  • SSDEEP

    12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 9 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
    "C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe
      "C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1164
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
            PID:1724

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      32KB

      MD5

      d79f070423fdd3f01ce8c2ba3fbbc8ed

      SHA1

      2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

      SHA256

      97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

      SHA512

      47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      32KB

      MD5

      d79f070423fdd3f01ce8c2ba3fbbc8ed

      SHA1

      2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

      SHA256

      97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

      SHA512

      47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

      Download Submit
    • C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe
      Filesize

      576KB

      MD5

      bd69f5cbb1c7b9e0b9af4cd6f5c0b518

      SHA1

      25b677796521fbe484cb6b6a1c863033b1fae404

      SHA256

      71ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc

      SHA512

      53cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      32KB

      MD5

      d79f070423fdd3f01ce8c2ba3fbbc8ed

      SHA1

      2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

      SHA256

      97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

      SHA512

      47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

      Download Submit
    • \Users\Admin\AppData\Roaming\downloads\hgcgc.exe
      Filesize

      576KB

      MD5

      bd69f5cbb1c7b9e0b9af4cd6f5c0b518

      SHA1

      25b677796521fbe484cb6b6a1c863033b1fae404

      SHA256

      71ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc

      SHA512

      53cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd

      Download Submit
    • \Users\Admin\AppData\Roaming\downloads\hgcgc.exe
      Filesize

      576KB

      MD5

      bd69f5cbb1c7b9e0b9af4cd6f5c0b518

      SHA1

      25b677796521fbe484cb6b6a1c863033b1fae404

      SHA256

      71ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc

      SHA512

      53cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd

      Download Submit
    • memory/316-76-0x0000000074C00000-0x00000000751AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/316-82-0x00000000000A0000-0x00000000000E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/316-66-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/316-70-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/316-72-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/316-93-0x00000000000A0000-0x00000000000E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/316-75-0x0000000074C00000-0x00000000751AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/316-67-0x000000000047EA3E-mapping.dmp
      Download
    • memory/624-60-0x0000000000000000-mapping.dmp
      Download
    • memory/864-56-0x0000000076261000-0x0000000076263000-memory.dmp
      Filesize

      8KB

      Download
    • memory/864-57-0x0000000000280000-0x0000000000286000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1164-90-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1164-83-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1164-77-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1164-81-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1164-78-0x0000000000411654-mapping.dmp
      Download
    • memory/1724-84-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1724-85-0x0000000000442628-mapping.dmp
      Download
    • memory/1724-88-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1724-89-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1724-92-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download