hawkeye | d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e

General

Target

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Size

993KB
MD5

6d344a5398d29561c114a95da3eee85c
SHA1

d90b3e5bf309af06d1dd87c7f79f50d3d322ba5c
SHA256

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e
SHA512

cefa627232b75149b13fe099d840481daf84d8fcd8e684975b2873c7d0bc42fd4ded8a35303f960ea525ad8d35d772fca1023ececce10f7fc6f32a2b07a021e8
SSDEEP

12288:guEbpKb7E7d4Z2gzo5ddjwRLo1UaiZWacmVjy0fIKtklOefmMLzrWS/hJpoUHn:gdKbw7dM2gcxoEQ5W4WlqSj

Score

10^/10

hawkeye microsoft collection keylogger persistence phishing spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral2/memory/2676-144-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-160-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral2/memory/2676-144-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/5072-160-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 whatismyipaddress.com
17 whatismyipaddress.com
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
15	whatismyipaddress.com
17	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exe

description	pid	process	target process
PID 3744 set thread context of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 1028 set thread context of 4128	1028	takshost.exe	takshost.exe
PID 4128 set thread context of 2676	4128	takshost.exe	vbc.exe
PID 4128 set thread context of 5072	4128	takshost.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129210134.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\45c0ee9f-9b61-4660-8b95-1f8075f25629.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exevbc.exemsedge.exetakshost.exeidentity_helper.exemsedge.exe

pid	process
1972	msedge.exe
1972	msedge.exe
5072	vbc.exe
5072	vbc.exe
3236	msedge.exe
3236	msedge.exe
4128	takshost.exe
4128	takshost.exe
2304	identity_helper.exe
2304	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe

pid process

3744 d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe

pid	process
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

pid	process
3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
Token: SeDebugPrivilege	1028	takshost.exe
Token: SeDebugPrivilege	4128	takshost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3236 msedge.exe
3236 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

takshost.exe

pid process

4128 takshost.exe

pid	process
3236	msedge.exe
3236	msedge.exe

pid	process
4128	takshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exetakshost.exed47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exemsedge.exetakshost.exe

description	pid	process	target process
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1808	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
PID 3744 wrote to memory of 1028	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	takshost.exe
PID 3744 wrote to memory of 1028	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	takshost.exe
PID 3744 wrote to memory of 1028	3744	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1028 wrote to memory of 4128	1028	takshost.exe	takshost.exe
PID 1808 wrote to memory of 3236	1808	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	msedge.exe
PID 1808 wrote to memory of 3236	1808	d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe	msedge.exe
PID 3236 wrote to memory of 3996	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 3996	3236	msedge.exe	msedge.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 4128 wrote to memory of 2676	4128	takshost.exe	vbc.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe
PID 3236 wrote to memory of 4340	3236	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe
"C:\Users\Admin\AppData\Local\Temp\d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe54bb46f8,0x7ffe54bb4708,0x7ffe54bb4718
4⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
4⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
4⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
4⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
4⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
4⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:8
4⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
4⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
4⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
4⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
4⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 /prefetch:8
4⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
4⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6ba115460,0x7ff6ba115470,0x7ff6ba115480
5⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
4⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:8
4⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13547291010873096145,11485383167124145994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3348 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d47614a7c6b9d2287be5d8fddf5ff859e35697cca52ea4379fe31067e3e0985e.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe54bb46f8,0x7ffe54bb4708,0x7ffe54bb4718
4⤵
PID:4448

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
\??\pipe\LOCAL\crashpad_3236_OEKIYWOHKEHMPKZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1028-137-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1028-140-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/1028-135-0x0000000000000000-mapping.dmp

Download
memory/1076-166-0x0000000000000000-mapping.dmp

Download
memory/1436-172-0x0000000000000000-mapping.dmp

Download
memory/1808-133-0x0000000000000000-mapping.dmp

Download
memory/1968-180-0x0000000000000000-mapping.dmp

Download
memory/1972-151-0x0000000000000000-mapping.dmp

Download
memory/2044-154-0x0000000000000000-mapping.dmp

Download
memory/2112-168-0x0000000000000000-mapping.dmp

Download
memory/2304-187-0x0000000000000000-mapping.dmp

Download
memory/2372-189-0x0000000000000000-mapping.dmp

Download
memory/2676-144-0x0000000000000000-mapping.dmp

Download
memory/2676-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-176-0x0000000000000000-mapping.dmp

Download
memory/2916-174-0x0000000000000000-mapping.dmp

Download
memory/3236-142-0x0000000000000000-mapping.dmp

Download
memory/3500-155-0x0000000000000000-mapping.dmp

Download
memory/3744-132-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3744-136-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/3968-178-0x0000000000000000-mapping.dmp

Download
memory/3996-143-0x0000000000000000-mapping.dmp

Download
memory/4128-138-0x0000000000000000-mapping.dmp

Download
memory/4128-139-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4128-141-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4128-156-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4340-150-0x0000000000000000-mapping.dmp

Download
memory/4448-157-0x0000000000000000-mapping.dmp

Download
memory/4620-182-0x0000000000000000-mapping.dmp

Download
memory/4728-184-0x0000000000000000-mapping.dmp

Download
memory/4844-191-0x0000000000000000-mapping.dmp

Download
memory/4912-186-0x0000000000000000-mapping.dmp

Download
memory/5020-185-0x0000000000000000-mapping.dmp

Download
memory/5020-192-0x0000000000000000-mapping.dmp

Download
memory/5072-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5072-164-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5072-163-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5072-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5072-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads