Overview

overview

10

Static

static

c7a031bef2...a1.exe

windows7-x64

9

c7a031bef2...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1.exe

  • Size

    996KB

  • MD5

    d2c1719e80486b2fe9ff7c4165782bb6

  • SHA1

    ca9e49a14b42db46a3c0c0e6f8f56ee9eeb2fd3b

  • SHA256

    c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1

  • SHA512

    a3b8502d24bb563f2f5c2a8e37d47547446e8e03a84a6db142f9d139db1a3683eca7576c768326b2224d96cfcf766322148a82e043c860e4743d2d01e7d2071f

  • SSDEEP

    24576:1o4mISIfX5OqZ5YtIHaYX1BWQdfvLPFJ45:wISoZ4IHBfWqHw

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 5 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1.exe
    "C:\Users\Admin\AppData\Local\Temp\c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1.exe
      "C:\Users\Admin\AppData\Local\Temp\c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4824
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        3⤵
          PID:1084
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
          3⤵
            PID:1864
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
            3⤵
              PID:1740
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
              3⤵
                PID:3280
            • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1956
              • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                3⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3988
                • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:3428
                • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
                  4⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4160

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log
            Filesize

            128B

            MD5

            a5dcc7c9c08af7dddd82be5b036a4416

            SHA1

            4f998ca1526d199e355ffb435bae111a2779b994

            SHA256

            e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

            SHA512

            56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
            Filesize

            725B

            MD5

            ecdeac12aa0c63ee0e8277e781c26266

            SHA1

            68d8df7e0af50dd7026e2f4b7c5144404f5d57c0

            SHA256

            a9020bc135be87e5e68b0f8d2ee44facb3a03f7f0aa2f988b19b65dae72f44c7

            SHA512

            e71822a51d963c00f81c6576fb5d79b0d4101e0e31d253daa88f1cf83ad32e9ba8c7b566330432d9bfb2bb2cec716595c2b5ed56838fa345a4f9d63b29f6e6c0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
            Filesize

            3KB

            MD5

            f94dc819ca773f1e3cb27abbc9e7fa27

            SHA1

            9a7700efadc5ea09ab288544ef1e3cd876255086

            SHA256

            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

            SHA512

            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
            Filesize

            13KB

            MD5

            bc61e848984ec98f66479d18562f6745

            SHA1

            f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

            SHA256

            45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

            SHA512

            2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
            Filesize

            13KB

            MD5

            bc61e848984ec98f66479d18562f6745

            SHA1

            f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

            SHA256

            45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

            SHA512

            2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
            Filesize

            13KB

            MD5

            bc61e848984ec98f66479d18562f6745

            SHA1

            f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

            SHA256

            45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

            SHA512

            2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
            Filesize

            996KB

            MD5

            d2c1719e80486b2fe9ff7c4165782bb6

            SHA1

            ca9e49a14b42db46a3c0c0e6f8f56ee9eeb2fd3b

            SHA256

            c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1

            SHA512

            a3b8502d24bb563f2f5c2a8e37d47547446e8e03a84a6db142f9d139db1a3683eca7576c768326b2224d96cfcf766322148a82e043c860e4743d2d01e7d2071f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
            Filesize

            996KB

            MD5

            d2c1719e80486b2fe9ff7c4165782bb6

            SHA1

            ca9e49a14b42db46a3c0c0e6f8f56ee9eeb2fd3b

            SHA256

            c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1

            SHA512

            a3b8502d24bb563f2f5c2a8e37d47547446e8e03a84a6db142f9d139db1a3683eca7576c768326b2224d96cfcf766322148a82e043c860e4743d2d01e7d2071f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
            Filesize

            996KB

            MD5

            d2c1719e80486b2fe9ff7c4165782bb6

            SHA1

            ca9e49a14b42db46a3c0c0e6f8f56ee9eeb2fd3b

            SHA256

            c7a031bef2ac15aa01c894dfcb84c5047accd3104888f5330caf6e804c7214a1

            SHA512

            a3b8502d24bb563f2f5c2a8e37d47547446e8e03a84a6db142f9d139db1a3683eca7576c768326b2224d96cfcf766322148a82e043c860e4743d2d01e7d2071f

            Download Submit

          • memory/1084-156-0x0000000000400000-0x0000000000459000-memory.dmp

            Filesize

            356KB

            Download

          • memory/1084-153-0x0000000000000000-mapping.dmp

            Download

          • memory/1084-166-0x0000000000400000-0x0000000000459000-memory.dmp

            Filesize

            356KB

            Download

          • memory/1084-157-0x0000000000400000-0x0000000000459000-memory.dmp

            Filesize

            356KB

            Download

          • memory/1084-154-0x0000000000400000-0x0000000000459000-memory.dmp

            Filesize

            356KB

            Download

          • memory/1740-169-0x0000000000000000-mapping.dmp

            Download

          • memory/1740-170-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/1740-179-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/1740-177-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/1864-168-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1864-183-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1864-158-0x0000000000000000-mapping.dmp

            Download

          • memory/1864-159-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1864-161-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1956-137-0x0000000000000000-mapping.dmp

            Download

          • memory/1956-140-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1956-142-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1956-165-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3280-172-0x0000000000000000-mapping.dmp

            Download

          • memory/3428-162-0x0000000000000000-mapping.dmp

            Download

          • memory/3428-164-0x0000000000400000-0x00000000004F0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/3428-186-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3428-185-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3428-181-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3988-146-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3988-152-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3988-144-0x0000000000000000-mapping.dmp

            Download

          • memory/4160-173-0x0000000000000000-mapping.dmp

            Download

          • memory/4160-180-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4160-184-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4316-133-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4316-132-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4316-171-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4784-141-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4784-136-0x00000000748E0000-0x0000000074E91000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4784-134-0x0000000000000000-mapping.dmp

            Download

          • memory/4824-147-0x0000000000000000-mapping.dmp

            Download

          • memory/4824-150-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/4824-151-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/4824-148-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download