hawkeye | fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af

Analysis

max time kernel
172s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
Size

1020KB
MD5

324a31fe5e07c7a0ce67e27ba7e42607
SHA1

c9a4692e2edfd6d2c0e1c1366a76aa16bd8b3f83
SHA256

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af
SHA512

202e1b7f8e37448cff72669afbfe69bc77c668935d67e6e24a4f2c7e71edf7ac410dc06ea9d60bda92d9e28cea08def4d3c9151cd6c2f0047e062bb62d288bb3
SSDEEP

12288:+TycucknhmDChohIEFnlIrhrcRmwRigZfF3/TpsEwr2eWQ4npgISvQcuY7vEGFDL:+TycJDjdv+hoRj39s5t0KIMu7G7qipl

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
scottywaylandy@mail.com
Password:
@bigmoney123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1072-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/1104-175-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/1104-176-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1104-178-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1104-179-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1072-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/2132-180-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/2132-181-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2132-183-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2132-184-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2132-186-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1072-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/1104-175-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1104-176-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1104-178-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1104-179-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2132-180-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2132-181-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2132-183-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2132-184-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2132-186-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

pid	process
3608	BrokerInfrastructure.exe
2908	AudioEndpointBuilder.exe
4540	AudioEndpointBuilder.exe
3540	BrokerInfrastructure.exe
2592	AudioEndpointBuilder.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeBrokerInfrastructure.exeAudioEndpointBuilder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	BrokerInfrastructure.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AudioEndpointBuilder.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 whatismyipaddress.com
42 whatismyipaddress.com
86 whatismyipaddress.com

flow	ioc
40	whatismyipaddress.com
42	whatismyipaddress.com
86	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exefcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exe

description	pid	process	target process
PID 5088 set thread context of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 1072 set thread context of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 2908 set thread context of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 set thread context of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2592 set thread context of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 set thread context of 2132	2592	AudioEndpointBuilder.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2828 2764 WerFault.exe vbc.exe
4264 2764 WerFault.exe vbc.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
2828	2764	WerFault.exe	vbc.exe
4264	2764	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeBrokerInfrastructure.exefcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe

pid	process
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
3608	BrokerInfrastructure.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
3608	BrokerInfrastructure.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
3608	BrokerInfrastructure.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
3608	BrokerInfrastructure.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
3608	BrokerInfrastructure.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeBrokerInfrastructure.exefcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeAudioEndpointBuilder.exedw20.exeBrokerInfrastructure.exedw20.exeAudioEndpointBuilder.exe

description	pid	process
Token: SeDebugPrivilege	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
Token: SeDebugPrivilege	3608	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
Token: SeDebugPrivilege	2908	AudioEndpointBuilder.exe
Token: SeRestorePrivilege	4316	dw20.exe
Token: SeBackupPrivilege	4316	dw20.exe
Token: SeBackupPrivilege	4316	dw20.exe
Token: SeBackupPrivilege	4316	dw20.exe
Token: SeBackupPrivilege	4316	dw20.exe
Token: SeDebugPrivilege	3540	BrokerInfrastructure.exe
Token: SeBackupPrivilege	2864	dw20.exe
Token: SeBackupPrivilege	2864	dw20.exe
Token: SeDebugPrivilege	2592	AudioEndpointBuilder.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exeAudioEndpointBuilder.exe

pid process

1072 fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
2592 AudioEndpointBuilder.exe

pid	process
1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
2592	AudioEndpointBuilder.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 1072	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
PID 5088 wrote to memory of 3608	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	BrokerInfrastructure.exe
PID 5088 wrote to memory of 3608	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	BrokerInfrastructure.exe
PID 5088 wrote to memory of 3608	5088	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	BrokerInfrastructure.exe
PID 3608 wrote to memory of 2908	3608	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 3608 wrote to memory of 2908	3608	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 3608 wrote to memory of 2908	3608	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 2764	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	vbc.exe
PID 1072 wrote to memory of 4316	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	dw20.exe
PID 1072 wrote to memory of 4316	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	dw20.exe
PID 1072 wrote to memory of 4316	1072	fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe	dw20.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 4540	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 3540	2908	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2908 wrote to memory of 3540	2908	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2908 wrote to memory of 3540	2908	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 4540 wrote to memory of 2864	4540	AudioEndpointBuilder.exe	dw20.exe
PID 4540 wrote to memory of 2864	4540	AudioEndpointBuilder.exe	dw20.exe
PID 4540 wrote to memory of 2864	4540	AudioEndpointBuilder.exe	dw20.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2908 wrote to memory of 2592	2908	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 1104	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe
PID 2592 wrote to memory of 2132	2592	AudioEndpointBuilder.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
"C:\Users\Admin\AppData\Local\Temp\fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe
"C:\Users\Admin\AppData\Local\Temp\fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 188
4⤵
- Program crash
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 192
4⤵
- Program crash
PID:4264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1032
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1248
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:1104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2764 -ip 2764
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2764 -ip 2764
1⤵
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BrokerInfrastructure.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
324a31fe5e07c7a0ce67e27ba7e42607

SHA1
c9a4692e2edfd6d2c0e1c1366a76aa16bd8b3f83

SHA256
fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af

SHA512
202e1b7f8e37448cff72669afbfe69bc77c668935d67e6e24a4f2c7e71edf7ac410dc06ea9d60bda92d9e28cea08def4d3c9151cd6c2f0047e062bb62d288bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
324a31fe5e07c7a0ce67e27ba7e42607

SHA1
c9a4692e2edfd6d2c0e1c1366a76aa16bd8b3f83

SHA256
fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af

SHA512
202e1b7f8e37448cff72669afbfe69bc77c668935d67e6e24a4f2c7e71edf7ac410dc06ea9d60bda92d9e28cea08def4d3c9151cd6c2f0047e062bb62d288bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
324a31fe5e07c7a0ce67e27ba7e42607

SHA1
c9a4692e2edfd6d2c0e1c1366a76aa16bd8b3f83

SHA256
fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af

SHA512
202e1b7f8e37448cff72669afbfe69bc77c668935d67e6e24a4f2c7e71edf7ac410dc06ea9d60bda92d9e28cea08def4d3c9151cd6c2f0047e062bb62d288bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1020KB

MD5
324a31fe5e07c7a0ce67e27ba7e42607

SHA1
c9a4692e2edfd6d2c0e1c1366a76aa16bd8b3f83

SHA256
fcec386dd4e6df367dce4d766fbea6e39d1f838f216e50767c392e717dc5c8af

SHA512
202e1b7f8e37448cff72669afbfe69bc77c668935d67e6e24a4f2c7e71edf7ac410dc06ea9d60bda92d9e28cea08def4d3c9151cd6c2f0047e062bb62d288bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
a1519de5b5d44b31a01de013b9b51a80

SHA1
6b4142e2e97b851a319b0fcab23709b40e3fc19f

SHA256
f8b2f96ed09b16bfd24ff625c064408fe19143db121b7944763fcbcc69ab4991

SHA512
8664d841038f133afe27daee3891518a46f9a2ea19b728041dc242cb2fad0654824277000753d844fde630475f49ae60d72b729d1c69859641ae7a89fd1b6222

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
102B

MD5
5fe55d552acea47dae77880893ae385a

SHA1
b79484fc122dec62adef114f47a38192e777df84

SHA256
680d6d86bf746fd9e1e417e9d3ba8945398e3f4fe54425e692fdecc77fc71c46

SHA512
e422ecedf825005a82eec26f147237e53e379594867c2103ff349871aa0d7500c728896e3709cccec4c3e5b0391028fee505ff4a926be517063605b47da03917

Download Submit
memory/1072-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1072-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1072-134-0x0000000000000000-mapping.dmp

Download
memory/1072-165-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1072-145-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1104-175-0x0000000000000000-mapping.dmp

Download
memory/1104-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-183-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2132-180-0x0000000000000000-mapping.dmp

Download
memory/2132-181-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2132-184-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2132-186-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2592-174-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2592-171-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2592-168-0x0000000000000000-mapping.dmp

Download
memory/2764-148-0x0000000000000000-mapping.dmp

Download
memory/2764-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-166-0x0000000000000000-mapping.dmp

Download
memory/2908-144-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2908-141-0x0000000000000000-mapping.dmp

Download
memory/2908-147-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3540-164-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3540-162-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3540-159-0x0000000000000000-mapping.dmp

Download
memory/3608-146-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3608-137-0x0000000000000000-mapping.dmp

Download
memory/3608-158-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3608-143-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4316-152-0x0000000000000000-mapping.dmp

Download
memory/4540-153-0x0000000000000000-mapping.dmp

Download
memory/4540-167-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4540-156-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4540-163-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5088-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5088-157-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5088-133-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download