Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-11-2022 13:25
General
-
Target
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
-
Size
993KB
-
MD5
6d344a5398d29561c114a95da3eee85c
-
SHA1
d90b3e5bf309af06d1dd87c7f79f50d3d322ba5c
-
SHA256
d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e
-
SHA512
cefa627232b75149b13fe099d840481daf84d8fcd8e684975b2873c7d0bc42fd4ded8a35303f960ea525ad8d35d772fca1023ececce10f7fc6f32a2b07a021e8
-
SSDEEP
12288:guEbpKb7E7d4Z2gzo5ddjwRLo1UaiZWacmVjy0fIKtklOefmMLzrWS/hJpoUHn:gdKbw7dM2gcxoEQ5W4WlqSj
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
-
Nirsoft 17 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BFile_1.jpgFilesize
12KB
MD5df5ce15d53cef13a938c4ca363f8bf36
SHA1081147197558b40c67ae4112bf3f005abae61e70
SHA256d274f4a4103517844671b358a93c7935823de040b87e46a647963c30270cf6a3
SHA512444eb960de91ddd0774fe3597abe767ad01ca7676564c4d224e099997c7f46f3fc4d921d13086a148e06c856bd28bc31ab945b62a28698f451aef9fcad5da571
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WHLSHT1K.txtFilesize
603B
MD57e70a046897d56fae30d7ca8572e0313
SHA1e92369e5532ea37f039769024f292f865561084b
SHA256d270a2b6dea3bcf8ff20f4543e7a13e85f7825a3e326ece1349d36c43f0c7fbc
SHA512337094dc4806fb9bb8132b96f4e0ec09b68aae0d72e46e516a4f775c74902e07a6b5346f28d816496790b693828bf2cdd8e8ff00e299c8e449b56e3b72f5dac4
-
memory/428-99-0x0000000000442628-mapping.dmp
-
memory/428-102-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-103-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-98-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/428-105-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/568-86-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/568-90-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/568-79-0x00000000004876EE-mapping.dmp
-
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/916-55-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/916-70-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/960-62-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-67-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-61-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-63-0x00000000004876EE-mapping.dmp
-
memory/960-59-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-57-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-56-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/960-65-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/1976-85-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1976-71-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1976-68-0x0000000000000000-mapping.dmp
-
memory/1980-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-96-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-95-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1980-92-0x0000000000411654-mapping.dmp
-
memory/1980-91-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
