hawkeye | f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334

Analysis

max time kernel
154s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
Size

1.2MB
MD5

802e875ad94efb8973607d5331cdd95d
SHA1

0bea92a51fb96433a9831e4159c4f5c13bac055d
SHA256

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334
SHA512

dfbed5ed38aef42baeee3383746aed145ac4839b6ceff946bf6d059ed2aa5ac1f40fcf57e6f95c30f76c0cb2005b63590ee44d0fb01a3fdca22382c1219baeb7
SSDEEP

24576:ATh1eoiO36rGtmc6w05LR743Hhq1hZhaaa0gbg6GX+IA71r8NJi9E3NNCtja8:2h19iv8TB+WRqRh7NIgXXExr8NJLN8te

Score

10^/10

hawkeye collection evasion keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

Executes dropped EXE 4 IoCs

Processes:

AppMgnt.exehknswc.exehknswc.exeAppMgnt.exe

pid process

4980 AppMgnt.exe
2120 hknswc.exe
2188 hknswc.exe
3964 AppMgnt.exe

pid	process
4980	AppMgnt.exe
2120	hknswc.exe
2188	hknswc.exe
3964	AppMgnt.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	hknswc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AppMgnt.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 whatismyipaddress.com

flow	ioc
23	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exehknswc.exef8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exehknswc.exe

description	pid	process	target process
PID 1260 set thread context of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 2120 set thread context of 2188	2120	hknswc.exe	hknswc.exe
PID 4304 set thread context of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 2188 set thread context of 4124	2188	hknswc.exe	vbc.exe
PID 4304 set thread context of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 2188 set thread context of 2448	2188	hknswc.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
File created	C:\Windows\assembly\Desktop.ini	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2512 schtasks.exe
2992 schtasks.exe

pid	process
2512	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exeAppMgnt.exehknswc.exeAppMgnt.exe

pid	process
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
4980	AppMgnt.exe
4980	AppMgnt.exe
1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
2120	hknswc.exe
2120	hknswc.exe
2120	hknswc.exe
3964	AppMgnt.exe
3964	AppMgnt.exe
2120	hknswc.exe
2120	hknswc.exe
3964	AppMgnt.exe
3964	AppMgnt.exe
2120	hknswc.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
3964	AppMgnt.exe
2120	hknswc.exe
2120	hknswc.exe
3964	AppMgnt.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

hknswc.exe

pid process

2188 hknswc.exe

pid	process
2188	hknswc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exeAppMgnt.exehknswc.exeAppMgnt.exef8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exehknswc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
Token: SeDebugPrivilege	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
Token: SeDebugPrivilege	4980	AppMgnt.exe
Token: SeDebugPrivilege	2120	hknswc.exe
Token: SeDebugPrivilege	3964	AppMgnt.exe
Token: SeDebugPrivilege	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
Token: SeDebugPrivilege	2188	hknswc.exe
Token: SeDebugPrivilege	3672	vbc.exe
Token: SeDebugPrivilege	4124	vbc.exe
Token: SeDebugPrivilege	764	vbc.exe
Token: SeDebugPrivilege	2448	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exehknswc.exe

pid process

4304 f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
2188 hknswc.exe

pid	process
4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
2188	hknswc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exeAppMgnt.exehknswc.exeAppMgnt.exef8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exehknswc.exe

description	pid	process	target process
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4304	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
PID 1260 wrote to memory of 4980	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	AppMgnt.exe
PID 1260 wrote to memory of 4980	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	AppMgnt.exe
PID 1260 wrote to memory of 4980	1260	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	AppMgnt.exe
PID 4980 wrote to memory of 2120	4980	AppMgnt.exe	hknswc.exe
PID 4980 wrote to memory of 2120	4980	AppMgnt.exe	hknswc.exe
PID 4980 wrote to memory of 2120	4980	AppMgnt.exe	hknswc.exe
PID 4980 wrote to memory of 2512	4980	AppMgnt.exe	schtasks.exe
PID 4980 wrote to memory of 2512	4980	AppMgnt.exe	schtasks.exe
PID 4980 wrote to memory of 2512	4980	AppMgnt.exe	schtasks.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 2188	2120	hknswc.exe	hknswc.exe
PID 2120 wrote to memory of 3964	2120	hknswc.exe	AppMgnt.exe
PID 2120 wrote to memory of 3964	2120	hknswc.exe	AppMgnt.exe
PID 2120 wrote to memory of 3964	2120	hknswc.exe	AppMgnt.exe
PID 3964 wrote to memory of 2992	3964	AppMgnt.exe	schtasks.exe
PID 3964 wrote to memory of 2992	3964	AppMgnt.exe	schtasks.exe
PID 3964 wrote to memory of 2992	3964	AppMgnt.exe	schtasks.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 3672	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 4124	2188	hknswc.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 4304 wrote to memory of 764	4304	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe
PID 2188 wrote to memory of 2448	2188	hknswc.exe	vbc.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe

C:\Users\Admin\AppData\Local\Temp\f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
"C:\Users\Admin\AppData\Local\Temp\f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
- C:\Users\Admin\AppData\Local\Temp\f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe
  "C:\Users\Admin\AppData\Local\Temp\f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2512
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.log

Filesize
404B

MD5
fcc802ed7e1aa47a9e0ba0420dac1632

SHA1
f7a7b06f14790b2e33a66fa6c318f940a6637786

SHA256
676475b51aec5bc3cbd324aca7091e8e63465b0cc77d85a02db484754c4fa7e1

SHA512
df8e129fb26cc87e3f76f69c7bf142116762cfe0377599f353cb2230a3ad992ad358ddba2c46a02e1bb14e4054f3df19b028a6a44699584f2a7f9f4c53092c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
1.2MB

MD5
802e875ad94efb8973607d5331cdd95d

SHA1
0bea92a51fb96433a9831e4159c4f5c13bac055d

SHA256
f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334

SHA512
dfbed5ed38aef42baeee3383746aed145ac4839b6ceff946bf6d059ed2aa5ac1f40fcf57e6f95c30f76c0cb2005b63590ee44d0fb01a3fdca22382c1219baeb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
1.2MB

MD5
802e875ad94efb8973607d5331cdd95d

SHA1
0bea92a51fb96433a9831e4159c4f5c13bac055d

SHA256
f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334

SHA512
dfbed5ed38aef42baeee3383746aed145ac4839b6ceff946bf6d059ed2aa5ac1f40fcf57e6f95c30f76c0cb2005b63590ee44d0fb01a3fdca22382c1219baeb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
1.2MB

MD5
802e875ad94efb8973607d5331cdd95d

SHA1
0bea92a51fb96433a9831e4159c4f5c13bac055d

SHA256
f8753727a9f2e1da0fd767056742795cd8ef421ae50acb67c34c879a8adde334

SHA512
dfbed5ed38aef42baeee3383746aed145ac4839b6ceff946bf6d059ed2aa5ac1f40fcf57e6f95c30f76c0cb2005b63590ee44d0fb01a3fdca22382c1219baeb7

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
7e889fb76e0e07c11733550f2a6c7a5a

SHA1
bb5403eac4350886390a9a1425dcecbaea40aab5

SHA256
eb1633fa9519afd7441649b638b0b3f5ccc674204c3355fa0e470d1a37a09294

SHA512
0be59ee1ba8797672925e490f1f6d9b4d9497a370c61e6c316ac1d6d17cdbcf5f9a2a5a345ad48186ffc3115b0e4c951dec14bcc180aa2878cf10fdaf8b81935

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt

Filesize
102B

MD5
35203c356b51c5cc91201c2a652551c4

SHA1
8db5417d97fef15bc75085570a0855c8bae4dddf

SHA256
b5cff4ea84f52d6113365c0137f11a491e54af76ea85afd2349ef4ce44abfc5e

SHA512
a9a7f2223b58ed5d06a74aaa6a2e423eb37990714adf9e9d57cee9e4e431f67448396c82a814b214eb805f6e2c9ae818200535ad7944cf689d8eef3aa303a5b1

Download Submit
memory/764-180-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/764-181-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/764-183-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/764-177-0x0000000000000000-mapping.dmp

Download
memory/764-178-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/764-179-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1260-134-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1260-148-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1260-133-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2120-146-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2120-162-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2120-142-0x0000000000000000-mapping.dmp

Download
memory/2188-158-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2188-163-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2188-149-0x0000000000000000-mapping.dmp

Download
memory/2448-187-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2448-189-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2448-186-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2448-184-0x0000000000000000-mapping.dmp

Download
memory/2512-143-0x0000000000000000-mapping.dmp

Download
memory/2992-160-0x0000000000000000-mapping.dmp

Download
memory/3672-168-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3672-170-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3672-167-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3672-166-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3672-165-0x0000000000000000-mapping.dmp

Download
memory/3964-164-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3964-159-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3964-152-0x0000000000000000-mapping.dmp

Download
memory/4124-173-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4124-176-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4124-174-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4124-171-0x0000000000000000-mapping.dmp

Download
memory/4304-161-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4304-140-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4304-136-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4304-135-0x0000000000000000-mapping.dmp

Download
memory/4980-147-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4980-145-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4980-137-0x0000000000000000-mapping.dmp

Download