hawkeye | e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

Analysis

max time kernel
195s
max time network
208s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Size

595KB
MD5

783d2bea764af0c2a775b197a5c2ccc6
SHA1

36f287818b5fb3c703a9b5d6f1790b372b896b68
SHA256

e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905
SHA512

781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f
SSDEEP

12288:/3k6NsIiLy413Nm2UX+O7FsRYMIAJk8DfCjetsb4XMPfOV:vk6VieGNK+ajMhDfJmb4XeOV

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1548-60-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1548-62-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1548-64-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1884-96-0x000000000047EA7E-mapping.dmp	MailPassView
behavioral1/memory/1884-98-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1884-100-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1784-113-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1784-114-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1784-117-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1784-118-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1784-119-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1548-60-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1548-62-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1548-64-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1884-96-0x000000000047EA7E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1884-98-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1884-100-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/632-121-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/632-120-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/632-124-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/632-125-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/632-127-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

resource	yara_rule
behavioral1/memory/1548-60-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1548-62-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1548-64-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1884-96-0x000000000047EA7E-mapping.dmp	Nirsoft
behavioral1/memory/1884-98-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1884-100-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1784-113-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1784-114-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1784-117-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1784-118-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1784-119-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/632-121-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/632-120-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/632-124-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/632-125-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/632-127-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
1756	csrss.exe
1220	csrss.exe

Loads dropped DLL 4 IoCs

pid	Process
1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	whatismyipaddress.com
22	whatismyipaddress.com
23	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 768 set thread context of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 1884 set thread context of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 set thread context of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2E8734348C03390D24FAF96E86BB01B39E3AD4DB	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2E8734348C03390D24FAF96E86BB01B39E3AD4DB\Blob = 0300000001000000140000002e8734348c03390d24faf96e86bb01b39e3ad4db14000000010000001400000004c9da9adc4a4977af300304662ec7cef2f8177d040000000100000010000000e3955f40768d3da1ebb481a5a88077740f0000000100000014000000df489413f7dd0b185b0e9b3f3bfe30fd8b703e90190000000100000010000000af0264d0c165d8aac78e11d408c8df5c1800000001000000100000000b6cd9778e41ad67fd6be0a6903710444b0000000100000044000000310042003100460034004200410036003600430044004200460045004300380035004100320030004500310031004200460037003200390041004600320033005f0000002000000001000000b6040000308204b23082039aa003020102021064fe29dccf38e030dcffe34d05689661300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d2043413022180f32303039303330333132353335365a180f32303234303330333132353335365a3078310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479311c301a0603550403131343657274756d204c6576656c2049494920434130820122300d06092a864886f70d01010105000382010f003082010a02820101009f51965c4b7c2e494708353f0bed491d2a6a5e58684d08d73f7897723144dc6194f594e9d3cd9d1dadf1e4f90791f9fea4099cfbc79e31e31b03dcfcf5c54b22a9adbaa7e1956563ac2be280fd617667e8c4a43cfe74e876781e49a51479dc74a69fb6128aae0d59fc5a802598c0489cdbcb0f77e786f5b2c7d64ebb8750064e76f5b78c287f5fe2daea3089e44486ee55f79579ef0c88ca7fff5f2512ef29a4c3dfc8519e8b109557faeadd37bd4aa65f6a9545d7bcf39552b314f30e893a13bb80403ccba0fa8ed2a64472dc37fe1483ed0083f19011fc0ef143ec6df07303cb0c7ed782961c37cee7ee2864abb56f065aa0044ab60d7b559c7b6b18c25ac70203010001a382016c30820168300f0603551d130101ff040530030101ff301d0603551d0e0416041404c9da9adc4a4977af300304662ec7cef2f8177d30520603551d23044b3049a142a440303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d2043418203010020300e0603551d0f0101ff040403020106302c0603551d1f042530233021a01fa01d861b687474703a2f2f63726c2e63657274756d2e706c2f63612e63726c306806082b06010505070101045c305a302806082b06010505073001861c687474703a2f2f73756263612e6f6373702d63657274756d2e636f6d302e06082b060105050730028622687474703a2f2f7265706f7369746f72792e63657274756d2e706c2f63612e636572303a0603551d2004333031302f0604551d20003027302506082b06010505070201161968747470733a2f2f7777772e63657274756d2e706c2f435053300d06092a864886f70d010105050003820101009ce11bad346b1a3707594266adc08302462fe9327664aa2d7faa19beddd6e567cd33ce0dd4e15b465ca71412f0579a678bb9a69c55c01ede0bd562cb529737d3bc4d4189464ffedb9e2a2d50f254b1f42e90e5b1109a9ab3b72e15b4a2c02b144018757820ae1d271da1f50f615c47f32274bef7dd7fb7184a620f182ea90cfbddb14c4ed54e6ea0262d550a787da8e36304024050cf3eaa8799faeb91d448776984bed6153463740a0ac43ed16317b6229563c7eac98e826038222e976b80210ba242a704bde4b963e2ebb0dea67e3e26c10cc73b233d7ed2f40a9ec956844e20b18f5407966ffe251588cfc1d90a004685220eed77a34cfcea83ead536f4f5	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	csrss.exe
1756	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe
1220	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	csrss.exe
Token: SeDebugPrivilege	1220	csrss.exe
Token: SeDebugPrivilege	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1548	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	28
PID 1308 wrote to memory of 1756	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	29
PID 1308 wrote to memory of 1756	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	29
PID 1308 wrote to memory of 1756	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	29
PID 1308 wrote to memory of 1756	1308	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	29
PID 1756 wrote to memory of 768	1756	csrss.exe	30
PID 1756 wrote to memory of 768	1756	csrss.exe	30
PID 1756 wrote to memory of 768	1756	csrss.exe	30
PID 1756 wrote to memory of 768	1756	csrss.exe	30
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1884	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	31
PID 768 wrote to memory of 1220	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	32
PID 768 wrote to memory of 1220	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	32
PID 768 wrote to memory of 1220	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	32
PID 768 wrote to memory of 1220	768	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	32
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 1784	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	34
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35
PID 1884 wrote to memory of 632	1884	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	35

C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
"C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
  "C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
  2⤵
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 1548 -reg C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe -proc 1548 C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
    "C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
      "C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:1784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:632
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 1884 -reg C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe -proc 1884 C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_0FDA2E67E371AEB03992D56035802B07

Filesize
1KB

MD5
0b8050814dacc6f1ee8e1f3fdb9f49bc

SHA1
d0724eabbc4b7150459696dab7d1c68cf3894da3

SHA256
e287141495a2b8e5af2cbe432549011953ebdc121a2bc557a05b019a62b70e1a

SHA512
98b57adcf360ef87920c4c9dc10cba1c5ceef89fd9c7a8ec4bded51d196fa7e2ffe8c24926ed36628215cf47df7ad6d37b42b4e3f5867533219536e2b2e343f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE4CFAB51DB3F9AB265C1526D1E6F12F_3E2D1C1422740EC934E275AEAA05CEA6

Filesize
1KB

MD5
3ea1e94e127129ea14bdb3767e79644e

SHA1
5e01bd01de4b3f5eee4552cbaa2cd4902d7194f7

SHA256
3592b1d049666fe5a870f317b91f5e151086ccf75c3afb3f49abb77a288a485c

SHA512
f4a8b26fa02af820cc0c35174be844b0af0e99dad473e6e65903d04254922e7e18f9eedd2017b85d15495e4c31559895b49d1001851a1f2cfb0db6c108f77a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_0FDA2E67E371AEB03992D56035802B07

Filesize
416B

MD5
3732d3fb46138267bdac6211c62d3e76

SHA1
9be039506fc94a54225e56af9fc9808e2e0292d2

SHA256
ec7a801781dd52071a6df04f0d067a6cd772bb672dd81ede0ee3098f1d1bc767

SHA512
51f6d5b3516eceb3c860de0f2f66d45ac6e6b059d356344796e58e7c05f15a6dd148d41a65e3358481e5e9cc35283944ee0753b36f226634e903ba4b9126fb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_0FDA2E67E371AEB03992D56035802B07

Filesize
416B

MD5
3732d3fb46138267bdac6211c62d3e76

SHA1
9be039506fc94a54225e56af9fc9808e2e0292d2

SHA256
ec7a801781dd52071a6df04f0d067a6cd772bb672dd81ede0ee3098f1d1bc767

SHA512
51f6d5b3516eceb3c860de0f2f66d45ac6e6b059d356344796e58e7c05f15a6dd148d41a65e3358481e5e9cc35283944ee0753b36f226634e903ba4b9126fb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed6f3ae0b3a34f8ab9b7f8f55d7141d

SHA1
5189109095e37515a826a65c9e512ef74925ba06

SHA256
a5afc2c116df20f0a31b2d62fe77b52b88a5a358bd2ffa9a8646e34588cc2c9d

SHA512
1fc7aee40e5daec00adae59a2f65a437da22c8056dc96dc6f9af0d55d8eb95483eb840f24067eb378aeb3715c6131d0e4c422f5349d3a8308c0eb11f9a19329d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE4CFAB51DB3F9AB265C1526D1E6F12F_3E2D1C1422740EC934E275AEAA05CEA6

Filesize
406B

MD5
361dcf929e0ff872ac69d2c34ee83ca4

SHA1
fbaf61219f9f626ab9f4c65919b0b6a6f589531e

SHA256
21a03cd4f8ce2395ddaa691ef9dfadda179018b3bc2122c5e28f81a8ca6d2d0c

SHA512
8a66b57047bbd649cabd23e79045f8bdf06e493fb4805d3fd9f0db8821ca9d9e662d096519231dacc607b6fd5eea80c9b38fc310809275b029285448ff9b572b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE4CFAB51DB3F9AB265C1526D1E6F12F_3E2D1C1422740EC934E275AEAA05CEA6

Filesize
406B

MD5
361dcf929e0ff872ac69d2c34ee83ca4

SHA1
fbaf61219f9f626ab9f4c65919b0b6a6f589531e

SHA256
21a03cd4f8ce2395ddaa691ef9dfadda179018b3bc2122c5e28f81a8ca6d2d0c

SHA512
8a66b57047bbd649cabd23e79045f8bdf06e493fb4805d3fd9f0db8821ca9d9e662d096519231dacc607b6fd5eea80c9b38fc310809275b029285448ff9b572b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
memory/632-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/632-125-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/632-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/632-127-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/768-86-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/768-108-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-109-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-111-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1308-56-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1308-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1308-73-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1308-55-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-58-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1548-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1756-83-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-80-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-79-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1784-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1884-100-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1884-112-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-110-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-98-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download