hawkeye | 41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

Analysis

max time kernel
154s
max time network
120s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
Size

1.2MB
MD5

ceabbc90cd1582f1e9b6bebaea1684f1
SHA1

600f41cb2a056208e1bf928440643f617478912b
SHA256

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f
SHA512

666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95
SSDEEP

24576:E2a5a9gHSaExU8QGqpwI8qknngTkRuCdfKLtlsDbS4kfSgJ4VHa6:A5a9gHSNUjGqpN8HnttdifsDbS48SgJN

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 4 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid process

1972 BrokerInfrastructure.exe
1232 AudioEndpointBuilder.exe
1060 BrokerInfrastructure.exe
1652 AudioEndpointBuilder.exe
Loads dropped DLL 3 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid process

1236 41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1972 BrokerInfrastructure.exe
1232 AudioEndpointBuilder.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1972	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1060	BrokerInfrastructure.exe
1652	AudioEndpointBuilder.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exeAudioEndpointBuilder.exe41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

description	pid	process	target process
PID 1236 set thread context of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1232 set thread context of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1092 set thread context of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 set thread context of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exeBrokerInfrastructure.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid	process
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1972	BrokerInfrastructure.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1972	BrokerInfrastructure.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1972	BrokerInfrastructure.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1972	BrokerInfrastructure.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
1060	BrokerInfrastructure.exe
1232	AudioEndpointBuilder.exe
1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exe41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
Token: SeDebugPrivilege	1972	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1232	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	1060	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
Token: SeDebugPrivilege	764	vbc.exe
Token: SeDebugPrivilege	960	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

pid process

1092 41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

pid	process
1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe

description	pid	process	target process
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1092	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
PID 1236 wrote to memory of 1972	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1972	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1972	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1972	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1972 wrote to memory of 1232	1972	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1972 wrote to memory of 1232	1972	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1972 wrote to memory of 1232	1972	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1972 wrote to memory of 1232	1972	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1236 wrote to memory of 1060	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1060	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1060	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1236 wrote to memory of 1060	1236	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	BrokerInfrastructure.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1232 wrote to memory of 1652	1232	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 764	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe
PID 1092 wrote to memory of 960	1092	41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
"C:\Users\Admin\AppData\Local\Temp\41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe
"C:\Users\Admin\AppData\Local\Temp\41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.2MB

MD5
ceabbc90cd1582f1e9b6bebaea1684f1

SHA1
600f41cb2a056208e1bf928440643f617478912b

SHA256
41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

SHA512
666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.2MB

MD5
ceabbc90cd1582f1e9b6bebaea1684f1

SHA1
600f41cb2a056208e1bf928440643f617478912b

SHA256
41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

SHA512
666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.2MB

MD5
ceabbc90cd1582f1e9b6bebaea1684f1

SHA1
600f41cb2a056208e1bf928440643f617478912b

SHA256
41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

SHA512
666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
10KB

MD5
bf02279434500b30877a522434389851

SHA1
fe29e7a8eae7ffb6030e6fe0447ec92bf8f65e27

SHA256
3273a7509ed5c93a2f2c1020e2acc36b2c3be23973f597562a5542eac0554056

SHA512
af1ba3f8c7af769604c717286d3e7a2b2464f27603d0029c313e432984f9ad55e41672ccda38349906bbf962d4c3eef39b276b6e3ee2617d7f014057bd6789fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
10KB

MD5
bf02279434500b30877a522434389851

SHA1
fe29e7a8eae7ffb6030e6fe0447ec92bf8f65e27

SHA256
3273a7509ed5c93a2f2c1020e2acc36b2c3be23973f597562a5542eac0554056

SHA512
af1ba3f8c7af769604c717286d3e7a2b2464f27603d0029c313e432984f9ad55e41672ccda38349906bbf962d4c3eef39b276b6e3ee2617d7f014057bd6789fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
10KB

MD5
bf02279434500b30877a522434389851

SHA1
fe29e7a8eae7ffb6030e6fe0447ec92bf8f65e27

SHA256
3273a7509ed5c93a2f2c1020e2acc36b2c3be23973f597562a5542eac0554056

SHA512
af1ba3f8c7af769604c717286d3e7a2b2464f27603d0029c313e432984f9ad55e41672ccda38349906bbf962d4c3eef39b276b6e3ee2617d7f014057bd6789fd

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
6a2feef8ed6a9fe76d6b3f30f02150b4

SHA1
14b21325096dd31c90a39900a910122c4d9fe3d9

SHA256
5f302d143dace627a6a87157fd1362b010874e4dc64609b17d87db648de0af3c

SHA512
1b4883f1e981c4934e346f8996cb55508c738e8b2221462c890836c5182a25f735de719d575f67724ce9f5925a33a882192543fa715ef99b70a2ad75a647ba46

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.2MB

MD5
ceabbc90cd1582f1e9b6bebaea1684f1

SHA1
600f41cb2a056208e1bf928440643f617478912b

SHA256
41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

SHA512
666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.2MB

MD5
ceabbc90cd1582f1e9b6bebaea1684f1

SHA1
600f41cb2a056208e1bf928440643f617478912b

SHA256
41cacd0a1beb6dfefc7232166910ea87e447024361d26b03e1aba73df0b6f04f

SHA512
666487dd5204b3a467f23bc874604b7984472856a696795cbb68988c98781b16cf92b425619290aeb1ac4d520d25b22cf83718e54a73616a979ea6da39e78f95

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
10KB

MD5
bf02279434500b30877a522434389851

SHA1
fe29e7a8eae7ffb6030e6fe0447ec92bf8f65e27

SHA256
3273a7509ed5c93a2f2c1020e2acc36b2c3be23973f597562a5542eac0554056

SHA512
af1ba3f8c7af769604c717286d3e7a2b2464f27603d0029c313e432984f9ad55e41672ccda38349906bbf962d4c3eef39b276b6e3ee2617d7f014057bd6789fd

Download Submit
memory/764-122-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-121-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-138-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-118-0x0000000000462B6D-mapping.dmp

Download
memory/764-117-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-116-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-114-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-112-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-110-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/764-109-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/960-123-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-124-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-136-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-135-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-131-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-132-0x0000000000460E2D-mapping.dmp

Download
memory/960-130-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-126-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/960-128-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1060-85-0x0000000000000000-mapping.dmp

Download
memory/1060-107-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-99-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-57-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-58-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-68-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-60-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-62-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-63-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1092-84-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-75-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1092-64-0x000000000051BB6E-mapping.dmp

Download
memory/1092-66-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1232-82-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-106-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-79-0x0000000000000000-mapping.dmp

Download
memory/1236-56-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1236-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-108-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-105-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-96-0x000000000051BB6E-mapping.dmp

Download
memory/1972-83-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-76-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-71-0x0000000000000000-mapping.dmp

Download