Analysis
-
max time kernel
189s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26-11-2022 22:03
General
-
Target
ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb.exe
-
Size
1.2MB
-
MD5
fac02fb099ef48e12b71d3440864fc02
-
SHA1
743726663066be95712394780925d291e0bc78e9
-
SHA256
ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb
-
SHA512
d4308c7164ccf18817bb558d0bf7a98a6aba37f3360613f3d0927fc54f3915963fe3dbf260870efcb3e10cf325d2bd5cb80a347a2e192d84f0df0a9d11f0eec2
-
SSDEEP
24576:lXrcXAu40R59zq/n6cZd8YJXifgdECN973ApQfaJPnIcIVQy:6bzYnJQUoPnIzVZ
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb.exe"C:\Users\Admin\AppData\Local\Temp\ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aNNNNN.xml"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exe"C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 2980 C:\Users\Admin\AppData\Local\Temp\chrome.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\a22222.xml"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\chrome.exeFilesize
1.2MB
MD5fac02fb099ef48e12b71d3440864fc02
SHA1743726663066be95712394780925d291e0bc78e9
SHA256ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb
SHA512d4308c7164ccf18817bb558d0bf7a98a6aba37f3360613f3d0927fc54f3915963fe3dbf260870efcb3e10cf325d2bd5cb80a347a2e192d84f0df0a9d11f0eec2
-
C:\Users\Admin\AppData\Local\Temp\a22222.xmlFilesize
1KB
MD5b81111e91a68ccd06712feab8bb4077a
SHA10b375d9be8161cc9aa9ecc4198e6fdb9c2d68725
SHA256efb3d9ac63bda95d2c49286287588e72d39e8799566ab7a826d495cb9df2362b
SHA512b40ea6cc704889d3dd34636c88cb2c3b68c2724318e0b5bdd429e2b12af33b84d614d77d8060a58b41e95c18e2386b86f8105a675917dcb9a38140b2c51da3e9
-
C:\Users\Admin\AppData\Local\Temp\aNNNNN.xmlFilesize
1KB
MD5b81111e91a68ccd06712feab8bb4077a
SHA10b375d9be8161cc9aa9ecc4198e6fdb9c2d68725
SHA256efb3d9ac63bda95d2c49286287588e72d39e8799566ab7a826d495cb9df2362b
SHA512b40ea6cc704889d3dd34636c88cb2c3b68c2724318e0b5bdd429e2b12af33b84d614d77d8060a58b41e95c18e2386b86f8105a675917dcb9a38140b2c51da3e9
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
327B
MD51265c5140a2f68b05b92aa1a25a2abb6
SHA1627a660e9d2a41c8c4a662ca44fdb68a1356bc82
SHA256694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9
SHA512ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
1KB
MD501e7975c708365983265ae40d604beb4
SHA1f1c793c9b7a312d355cd944928ba9272bbeec44e
SHA25695d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40
SHA5129c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exeFilesize
1.2MB
MD5fac02fb099ef48e12b71d3440864fc02
SHA1743726663066be95712394780925d291e0bc78e9
SHA256ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb
SHA512d4308c7164ccf18817bb558d0bf7a98a6aba37f3360613f3d0927fc54f3915963fe3dbf260870efcb3e10cf325d2bd5cb80a347a2e192d84f0df0a9d11f0eec2
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exeFilesize
1.2MB
MD5fac02fb099ef48e12b71d3440864fc02
SHA1743726663066be95712394780925d291e0bc78e9
SHA256ae38c742cbea7e24ba93f0d5fe44f4af94d98a406eb1d2a7d5153c42ec5717fb
SHA512d4308c7164ccf18817bb558d0bf7a98a6aba37f3360613f3d0927fc54f3915963fe3dbf260870efcb3e10cf325d2bd5cb80a347a2e192d84f0df0a9d11f0eec2
-
memory/524-156-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/524-153-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/524-154-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/524-152-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/524-151-0x0000000000000000-mapping.dmp
-
memory/1132-147-0x0000000000000000-mapping.dmp
-
memory/1316-134-0x0000000000000000-mapping.dmp
-
memory/1604-141-0x0000000000000000-mapping.dmp
-
memory/1604-144-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/1604-148-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/1748-157-0x0000000000000000-mapping.dmp
-
memory/1748-158-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-164-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-162-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-161-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-160-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1748-159-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2980-138-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/2980-136-0x0000000000000000-mapping.dmp
-
memory/2980-137-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/2980-149-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/2980-139-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/2980-146-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/4000-132-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/4000-133-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB