hawkeye | e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

Analysis

max time kernel
175s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Size

595KB
MD5

783d2bea764af0c2a775b197a5c2ccc6
SHA1

36f287818b5fb3c703a9b5d6f1790b372b896b68
SHA256

e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905
SHA512

781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f
SSDEEP

12288:/3k6NsIiLy413Nm2UX+O7FsRYMIAJk8DfCjetsb4XMPfOV:vk6VieGNK+ajMhDfJmb4XeOV

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/480-133-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/480-135-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/480-134-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/480-136-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/4984-146-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4984-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4984-149-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4984-150-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/480-133-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/480-135-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/480-134-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/480-136-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/480-133-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/480-135-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/480-134-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/480-136-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/4984-146-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4984-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4984-149-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4984-150-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
8	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 480 set thread context of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 5c0000000100000004000000000800000400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad1900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2E8734348C03390D24FAF96E86BB01B39E3AD4DB	csrss.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2E8734348C03390D24FAF96E86BB01B39E3AD4DB\Blob = 0300000001000000140000002e8734348c03390d24faf96e86bb01b39e3ad4db14000000010000001400000004c9da9adc4a4977af300304662ec7cef2f8177d040000000100000010000000e3955f40768d3da1ebb481a5a88077740f0000000100000014000000df489413f7dd0b185b0e9b3f3bfe30fd8b703e90190000000100000010000000af0264d0c165d8aac78e11d408c8df5c5c0000000100000004000000000800001800000001000000100000000b6cd9778e41ad67fd6be0a6903710444b0000000100000044000000310042003100460034004200410036003600430044004200460045004300380035004100320030004500310031004200460037003200390041004600320033005f0000002000000001000000b6040000308204b23082039aa003020102021064fe29dccf38e030dcffe34d05689661300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d2043413022180f32303039303330333132353335365a180f32303234303330333132353335365a3078310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479311c301a0603550403131343657274756d204c6576656c2049494920434130820122300d06092a864886f70d01010105000382010f003082010a02820101009f51965c4b7c2e494708353f0bed491d2a6a5e58684d08d73f7897723144dc6194f594e9d3cd9d1dadf1e4f90791f9fea4099cfbc79e31e31b03dcfcf5c54b22a9adbaa7e1956563ac2be280fd617667e8c4a43cfe74e876781e49a51479dc74a69fb6128aae0d59fc5a802598c0489cdbcb0f77e786f5b2c7d64ebb8750064e76f5b78c287f5fe2daea3089e44486ee55f79579ef0c88ca7fff5f2512ef29a4c3dfc8519e8b109557faeadd37bd4aa65f6a9545d7bcf39552b314f30e893a13bb80403ccba0fa8ed2a64472dc37fe1483ed0083f19011fc0ef143ec6df07303cb0c7ed782961c37cee7ee2864abb56f065aa0044ab60d7b559c7b6b18c25ac70203010001a382016c30820168300f0603551d130101ff040530030101ff301d0603551d0e0416041404c9da9adc4a4977af300304662ec7cef2f8177d30520603551d23044b3049a142a440303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d2043418203010020300e0603551d0f0101ff040403020106302c0603551d1f042530233021a01fa01d861b687474703a2f2f63726c2e63657274756d2e706c2f63612e63726c306806082b06010505070101045c305a302806082b06010505073001861c687474703a2f2f73756263612e6f6373702d63657274756d2e636f6d302e06082b060105050730028622687474703a2f2f7265706f7369746f72792e63657274756d2e706c2f63612e636572303a0603551d2004333031302f0604551d20003027302506082b06010505070201161968747470733a2f2f7777772e63657274756d2e706c2f435053300d06092a864886f70d010105050003820101009ce11bad346b1a3707594266adc08302462fe9327664aa2d7faa19beddd6e567cd33ce0dd4e15b465ca71412f0579a678bb9a69c55c01ede0bd562cb529737d3bc4d4189464ffedb9e2a2d50f254b1f42e90e5b1109a9ab3b72e15b4a2c02b144018757820ae1d271da1f50f615c47f32274bef7dd7fb7184a620f182ea90cfbddb14c4ed54e6ea0262d550a787da8e36304024050cf3eaa8799faeb91d448776984bed6153463740a0ac43ed16317b6229563c7eac98e826038222e976b80210ba242a704bde4b963e2ebb0dea67e3e26c10cc73b233d7ed2f40a9ec956844e20b18f5407966ffe251588cfc1d90a004685220eed77a34cfcea83ead536f4f5	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe
8	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	csrss.exe
Token: SeDebugPrivilege	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 480	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	90
PID 2460 wrote to memory of 8	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	93
PID 2460 wrote to memory of 8	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	93
PID 2460 wrote to memory of 8	2460	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	93
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101
PID 480 wrote to memory of 4984	480	e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe	101

C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
"C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
  "C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4984
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 480 -reg C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe -proc 480 C:\Users\Admin\AppData\Local\Temp\e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
595KB

MD5
783d2bea764af0c2a775b197a5c2ccc6

SHA1
36f287818b5fb3c703a9b5d6f1790b372b896b68

SHA256
e555821b5492a3b516940e156657860f00ce034c2149b101e18fb59112ff4905

SHA512
781edd5e2c37415cbc386d8af6a09f023794cc1c530ab7ff78cb9952fc4cebfa62b7c881d8158c6bbc4a00a88bf1ec972791d750cc5cd398d88ee1a318e52e0f

Download Submit
memory/8-145-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/8-143-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/480-144-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/480-136-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/480-138-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/480-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/480-134-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2460-142-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/2460-132-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/4984-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download