hawkeye | c76f6e44390f63e0a43bddef270f959c31899c65b93f139a0efbd2f2e625b1a8

System Information Discovery

Processes:

4DA4E24086338BD0451BEC5230D9CA86.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	4DA4E24086338BD0451BEC5230D9CA86.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
9 whatismyipaddress.com

flow	ioc
7	whatismyipaddress.com
9	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 1448 set thread context of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 set thread context of 4508	1448	Windows Update.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Update.exe

pid process

1448 Windows Update.exe

pid	process
1448	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Windows Update.exevbc.exevbc.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	1448	Windows Update.exe
Token: SeDebugPrivilege	1992	vbc.exe
Token: SeDebugPrivilege	4508	vbc.exe
Token: SeRestorePrivilege	1216	dw20.exe
Token: SeBackupPrivilege	1216	dw20.exe
Token: SeBackupPrivilege	1216	dw20.exe
Token: SeBackupPrivilege	1216	dw20.exe
Token: SeBackupPrivilege	1216	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1448 Windows Update.exe

pid	process
1448	Windows Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4DA4E24086338BD0451BEC5230D9CA86.exeWindows Update.exe

description	pid	process	target process
PID 4156 wrote to memory of 1448	4156	4DA4E24086338BD0451BEC5230D9CA86.exe	Windows Update.exe
PID 4156 wrote to memory of 1448	4156	4DA4E24086338BD0451BEC5230D9CA86.exe	Windows Update.exe
PID 4156 wrote to memory of 1448	4156	4DA4E24086338BD0451BEC5230D9CA86.exe	Windows Update.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1992	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 4508	1448	Windows Update.exe	vbc.exe
PID 1448 wrote to memory of 1216	1448	Windows Update.exe	dw20.exe
PID 1448 wrote to memory of 1216	1448	Windows Update.exe	dw20.exe
PID 1448 wrote to memory of 1216	1448	Windows Update.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\4DA4E24086338BD0451BEC5230D9CA86.exe
"C:\Users\Admin\AppData\Local\Temp\4DA4E24086338BD0451BEC5230D9CA86.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4156

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1484
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection