hawkeye | 60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

Analysis

max time kernel
208s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
Size

1.0MB
MD5

dc03fdb0261a5e747cd3a83153be2df6
SHA1

d27ce5f7f2947e7f914153d572025c6ab75792f3
SHA256

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2
SHA512

83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1
SSDEEP

24576:ySkWMx78Vs5UisGWbNNu6HyVm5L5vCa3cgCObJjRMH:ySix78Vs+fvNJyyqa

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2052-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2052-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2052-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exe

pid	process
2440	BrokerInfrastructure.exe
2524	AudioEndpointBuilder.exe
4468	AudioEndpointBuilder.exe
4592	BrokerInfrastructure.exe
3288	AudioEndpointBuilder.exe
832	AudioEndpointBuilder.exe
4540	AudioEndpointBuilder.exe
1156	AudioEndpointBuilder.exe
4724	AudioEndpointBuilder.exe
2032	AudioEndpointBuilder.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BrokerInfrastructure.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AudioEndpointBuilder.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 whatismyipaddress.com

flow	ioc
74	whatismyipaddress.com

Suspicious use of SetThreadContext 8 IoCs

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 3200 set thread context of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 2524 set thread context of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 set thread context of 2032	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exeBrokerInfrastructure.exe

pid	process
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
2440	BrokerInfrastructure.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
2440	BrokerInfrastructure.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
2440	BrokerInfrastructure.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
2440	BrokerInfrastructure.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
2440	BrokerInfrastructure.exe
2440	BrokerInfrastructure.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeBrokerInfrastructure.exe60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

description	pid	process
Token: SeDebugPrivilege	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
Token: SeDebugPrivilege	2440	BrokerInfrastructure.exe
Token: SeDebugPrivilege	2524	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	4592	BrokerInfrastructure.exe
Token: SeDebugPrivilege	2052	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

pid process

2052 60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

pid	process
2052	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2052	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
PID 3200 wrote to memory of 2440	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	BrokerInfrastructure.exe
PID 3200 wrote to memory of 2440	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	BrokerInfrastructure.exe
PID 3200 wrote to memory of 2440	3200	60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe	BrokerInfrastructure.exe
PID 2440 wrote to memory of 2524	2440	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 2440 wrote to memory of 2524	2440	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 2440 wrote to memory of 2524	2440	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4468	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4592	2524	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2524 wrote to memory of 4592	2524	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2524 wrote to memory of 4592	2524	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 3288	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 832	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4540	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 1156	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2524 wrote to memory of 4724	2524	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe

C:\Users\Admin\AppData\Local\Temp\60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
"C:\Users\Admin\AppData\Local\Temp\60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe
"C:\Users\Admin\AppData\Local\Temp\60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:3288

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AudioEndpointBuilder.exe.log
Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BrokerInfrastructure.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1.0MB

MD5
dc03fdb0261a5e747cd3a83153be2df6

SHA1
d27ce5f7f2947e7f914153d572025c6ab75792f3

SHA256
60abc37cfc4bfc4ddd45356493f78ffd441d9fc133eee7b954d6d0350ffcabb2

SHA512
83219bd8fade6479500a30fc0a249d188d569dd9cd802b7c508690b5540dd2e0c0e5f0f4cea1ed5756f2833e7f40adb19a2ce2d0fa2faf5431835faddcc85af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
17KB

MD5
4cd74165822090fb30ffd34f21a0429a

SHA1
679c25004514e1ad69d01dc189c14222d94e9690

SHA256
c75bc731cf056028b9d2ca8dead3178d916d77c062c0e3b04d6baee1c519ce55

SHA512
f4d999714b7424eab49a7fafd45b10e49aeabe7d1b9f5e905b5633a4739aa8e4154bbdabd19f688151a58c548ac224992f796bc8436322d584f589de3ccf3854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
17KB

MD5
4cd74165822090fb30ffd34f21a0429a

SHA1
679c25004514e1ad69d01dc189c14222d94e9690

SHA256
c75bc731cf056028b9d2ca8dead3178d916d77c062c0e3b04d6baee1c519ce55

SHA512
f4d999714b7424eab49a7fafd45b10e49aeabe7d1b9f5e905b5633a4739aa8e4154bbdabd19f688151a58c548ac224992f796bc8436322d584f589de3ccf3854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
17KB

MD5
4cd74165822090fb30ffd34f21a0429a

SHA1
679c25004514e1ad69d01dc189c14222d94e9690

SHA256
c75bc731cf056028b9d2ca8dead3178d916d77c062c0e3b04d6baee1c519ce55

SHA512
f4d999714b7424eab49a7fafd45b10e49aeabe7d1b9f5e905b5633a4739aa8e4154bbdabd19f688151a58c548ac224992f796bc8436322d584f589de3ccf3854

Download Submit
memory/832-170-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/832-167-0x0000000000000000-mapping.dmp

Download
memory/832-171-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1156-178-0x0000000000000000-mapping.dmp

Download
memory/1156-181-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1156-183-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1156-182-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2032-189-0x0000000000000000-mapping.dmp

Download
memory/2052-142-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2052-145-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2052-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2052-134-0x0000000000000000-mapping.dmp

Download
memory/2440-151-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2440-146-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2440-143-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2440-136-0x0000000000000000-mapping.dmp

Download
memory/2524-147-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2524-144-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/2524-140-0x0000000000000000-mapping.dmp

Download
memory/3200-132-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3200-152-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3200-133-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3288-161-0x0000000000000000-mapping.dmp

Download
memory/3288-165-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3288-166-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4468-160-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4468-153-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4468-148-0x0000000000000000-mapping.dmp

Download
memory/4468-158-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4540-177-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4540-175-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4540-172-0x0000000000000000-mapping.dmp

Download
memory/4540-176-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4592-157-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4592-154-0x0000000000000000-mapping.dmp

Download
memory/4592-159-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4724-187-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4724-188-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4724-184-0x0000000000000000-mapping.dmp

Download