Analysis

  • max time kernel
    188s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 17:49

General

  • Target

    5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194.exe

  • Size

    1.1MB

  • MD5

    36d0c2908620bdfe773f4fc6e419aae8

  • SHA1

    1a41c284bfc185f3bc49c57370d6712276de7559

  • SHA256

    5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194

  • SHA512

    ae75ec1f231780007f4596aadaf0e54193bdc4ed222d4dabaed0c8b595aebe4d4273cf93ae30d7af95cd2fa3f9e17ec155bc2e8a38844ab07ff428a75c0533d2

  • SSDEEP

    24576:XkLTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:Ux6

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Suspicious use of AdjustPrivilegeToken
        PID:1304
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    34bf7449a5b88fb4e0b4c2180c628d03

    SHA1

    0ae9e2c2f5ee1cfed9f4958892744dcc8f135b35

    SHA256

    3b2a87ad6b4ac35181764f8282329eb4c672d7701ee5b1a8e16af43d50802f53

    SHA512

    855c2790d3f766977846bc040aa9bc7be4fcff1b32fda189889a59056019793d3be7fa96d3dd1d7383abe684477e6a6acc0440ef1409a3318990724b7593b303

  • C:\Users\Admin\AppData\Local\Temp\holdermail.txt
    Filesize

    327B

    MD5

    1265c5140a2f68b05b92aa1a25a2abb6

    SHA1

    627a660e9d2a41c8c4a662ca44fdb68a1356bc82

    SHA256

    694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

    SHA512

    ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

  • C:\Users\Admin\AppData\Local\Temp\holdermail.txt
    Filesize

    1KB

    MD5

    01e7975c708365983265ae40d604beb4

    SHA1

    f1c793c9b7a312d355cd944928ba9272bbeec44e

    SHA256

    95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

    SHA512

    9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    1.1MB

    MD5

    36d0c2908620bdfe773f4fc6e419aae8

    SHA1

    1a41c284bfc185f3bc49c57370d6712276de7559

    SHA256

    5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194

    SHA512

    ae75ec1f231780007f4596aadaf0e54193bdc4ed222d4dabaed0c8b595aebe4d4273cf93ae30d7af95cd2fa3f9e17ec155bc2e8a38844ab07ff428a75c0533d2

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    1.1MB

    MD5

    36d0c2908620bdfe773f4fc6e419aae8

    SHA1

    1a41c284bfc185f3bc49c57370d6712276de7559

    SHA256

    5c0982788147e5baaf956a522facb8c0b88c4608d5e199526f4125c43924d194

    SHA512

    ae75ec1f231780007f4596aadaf0e54193bdc4ed222d4dabaed0c8b595aebe4d4273cf93ae30d7af95cd2fa3f9e17ec155bc2e8a38844ab07ff428a75c0533d2

  • memory/1304-142-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

  • memory/1304-145-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

  • memory/1304-143-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

  • memory/1304-140-0x0000000000000000-mapping.dmp
  • memory/1304-141-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

  • memory/3652-137-0x0000000075190000-0x0000000075741000-memory.dmp
    Filesize

    5.7MB

  • memory/3652-139-0x0000000075190000-0x0000000075741000-memory.dmp
    Filesize

    5.7MB

  • memory/3652-133-0x0000000000000000-mapping.dmp
  • memory/4008-132-0x0000000075190000-0x0000000075741000-memory.dmp
    Filesize

    5.7MB

  • memory/4008-136-0x0000000075190000-0x0000000075741000-memory.dmp
    Filesize

    5.7MB

  • memory/4712-146-0x0000000000000000-mapping.dmp
  • memory/4712-147-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

  • memory/4712-148-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

  • memory/4712-149-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

  • memory/4712-150-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

  • memory/4712-151-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

  • memory/4712-153-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB