hawkeye | 682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Size

1.5MB
MD5

4dd205752e9d320eceffcdd931168612
SHA1

419857273e5bcd2129ae1e17649b9f26c7dc2c91
SHA256

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c
SHA512

b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862
SSDEEP

24576:q5T542JygsASjNf0LWgtU3E29Sq5CVxbAX2re6hpz+2mn6x/K:kT5TYGU3b9Sq5KxMX2rThJ+2mnk/K

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
stanmtmdlmkycozj

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3352-143-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/3352-144-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3352-146-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3352-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1100-152-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/1100-153-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/1100-155-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/1100-156-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/1100-158-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3352-143-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/3352-144-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3352-146-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3352-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1100-152-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1100-153-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1100-155-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1100-156-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1100-158-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4072-160-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4072-161-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/4072-163-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/4072-165-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/4644-179-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/4644-178-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4644-181-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/4644-183-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exe

pid process

2400 LookupSvi.exe
2424 secdrv.exe
3436 secdrv.exe
1180 LookupSvi.exe

pid	process
2400	LookupSvi.exe
2424	secdrv.exe
3436	secdrv.exe
1180	LookupSvi.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exeLookupSvi.exesecdrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LookupSvi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	secdrv.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

LookupSvi.exeLookupSvi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe"	LookupSvi.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 whatismyipaddress.com
23 whatismyipaddress.com

flow	ioc
21	whatismyipaddress.com
23	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exesecdrv.exe

description	pid	process	target process
PID 5016 set thread context of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 2012 set thread context of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 set thread context of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 set thread context of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2424 set thread context of 3436	2424	secdrv.exe	secdrv.exe
PID 2012 set thread context of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe

pid	process
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exeLookupSvi.exesecdrv.exeLookupSvi.exe

description	pid	process
Token: SeDebugPrivilege	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Token: SeDebugPrivilege	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
Token: SeDebugPrivilege	2400	LookupSvi.exe
Token: SeDebugPrivilege	2424	secdrv.exe
Token: SeDebugPrivilege	1180	LookupSvi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe

pid process

2012 682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe

pid	process
2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exeLookupSvi.exesecdrv.exe

description	pid	process	target process
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2012	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
PID 5016 wrote to memory of 2400	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	LookupSvi.exe
PID 5016 wrote to memory of 2400	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	LookupSvi.exe
PID 5016 wrote to memory of 2400	5016	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	LookupSvi.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 3352	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2400 wrote to memory of 2424	2400	LookupSvi.exe	secdrv.exe
PID 2400 wrote to memory of 2424	2400	LookupSvi.exe	secdrv.exe
PID 2400 wrote to memory of 2424	2400	LookupSvi.exe	secdrv.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 1100	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4072	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 3436	2424	secdrv.exe	secdrv.exe
PID 2424 wrote to memory of 1180	2424	secdrv.exe	LookupSvi.exe
PID 2424 wrote to memory of 1180	2424	secdrv.exe	LookupSvi.exe
PID 2424 wrote to memory of 1180	2424	secdrv.exe	LookupSvi.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe
PID 2012 wrote to memory of 4644	2012	682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
"C:\Users\Admin\AppData\Local\Temp\682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe
  "C:\Users\Admin\AppData\Local\Temp\682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:1100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
    3⤵
    PID:4072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
    3⤵
    PID:4644
- C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
      4⤵
      Executes dropped EXE
      PID:3436
  - - C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LookupSvi.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt

Filesize
725B

MD5
abd259a19decc7d410b6d1e131fcc902

SHA1
a39c698edf8ae707578e7bb5359d77bbafa4e409

SHA256
db26f09608704939fa7d282ac949db5af667869f8b3570f14493cf00e4db4185

SHA512
f966bbd408b0c4afd1e9fdd74f8ca88f8071fae2e839a4350df61a7f8b210ae7de243a7d8961d95218f682459142e6d5f1266dfed501bf3e7140cfbd4871f6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

Filesize
13KB

MD5
bc61e848984ec98f66479d18562f6745

SHA1
f41c96bcdcc9c1683b5bbe5d3815ea12e1b150a2

SHA256
45b66bd8113fc8aaf3d0ca9e1dc2f97215380244e52a0245f74064209f589946

SHA512
2465e70369b378ab69974f9fd7617d4af8d42b2d187b258e1721001752042dcc3a3befbe91e49d9ebb9c7f5f8c7d8140202fe9a88f297666a93aa406732735c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.5MB

MD5
4dd205752e9d320eceffcdd931168612

SHA1
419857273e5bcd2129ae1e17649b9f26c7dc2c91

SHA256
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c

SHA512
b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.5MB

MD5
4dd205752e9d320eceffcdd931168612

SHA1
419857273e5bcd2129ae1e17649b9f26c7dc2c91

SHA256
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c

SHA512
b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

Filesize
1.5MB

MD5
4dd205752e9d320eceffcdd931168612

SHA1
419857273e5bcd2129ae1e17649b9f26c7dc2c91

SHA256
682380797ae9778897073195be56468a2415a45e75e4b2d589ab9aebb734eb2c

SHA512
b2fa020372255e0ec1f297458e58f032c9463cc4461137a682a2e112ad4bdd1864f67fe94fcb1f9c9a3a794de65009a71d3ae06a9a3364199b69b02acf34f862

Download Submit
memory/1100-152-0x0000000000000000-mapping.dmp

Download
memory/1100-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1100-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1100-155-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1100-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1180-176-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1180-184-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1180-171-0x0000000000000000-mapping.dmp

Download
memory/2012-134-0x0000000000000000-mapping.dmp

Download
memory/2012-139-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2012-141-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2400-142-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2400-167-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2400-136-0x0000000000000000-mapping.dmp

Download
memory/2400-140-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2424-151-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2424-149-0x0000000000000000-mapping.dmp

Download
memory/2424-159-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3352-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-143-0x0000000000000000-mapping.dmp

Download
memory/3352-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3436-175-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3436-177-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3436-168-0x0000000000000000-mapping.dmp

Download
memory/4072-165-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4072-163-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4072-161-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4072-160-0x0000000000000000-mapping.dmp

Download
memory/4644-179-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4644-178-0x0000000000000000-mapping.dmp

Download
memory/4644-181-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4644-183-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5016-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5016-166-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5016-133-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download