Overview

overview

10

Static

static

90f5a9256f...04.exe

windows7-x64

10

90f5a9256f...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe

  • Size

    194KB

  • MD5

    0b601c8e85e66b573c24d2ac6846a001

  • SHA1

    80e90c3b91ac845e9c57df24f6de206bff0ba2b8

  • SHA256

    90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04

  • SHA512

    305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150

  • SSDEEP

    3072:leoj6QTDgiEIDL5ntDnj/rlIudpB8gkgqXEoqGxTsiqX5G9:Y+hvg8DL5ntb7hBkgXoZxTsid

Score
10/10
hawkeyekeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    mastaex2@gmail.com
  • Password:
    fh6113887

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe
    "C:\Users\Admin\AppData\Local\Temp\90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    ee5cb40de19805c456427b884ed7c441

    SHA1

    56ded944e2d02beebd92ddf941ca54b439bfe537

    SHA256

    36abd9dd6f59ee1e9be37db29e12c704ae7707103df4894ca1572e75a6311bf4

    SHA512

    470140e1b7afbffd3f26f858a5c029a7edc57016e860d9219ef47c651a08537c4fe53146ce0c1fac8d58ab05b8918239c0a025ee7bd1b0f7dfa7b86aa8416d11

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    194KB

    MD5

    0b601c8e85e66b573c24d2ac6846a001

    SHA1

    80e90c3b91ac845e9c57df24f6de206bff0ba2b8

    SHA256

    90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04

    SHA512

    305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    194KB

    MD5

    0b601c8e85e66b573c24d2ac6846a001

    SHA1

    80e90c3b91ac845e9c57df24f6de206bff0ba2b8

    SHA256

    90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04

    SHA512

    305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150

    Download Submit
  • memory/892-57-0x0000000000000000-mapping.dmp
    Download
  • memory/892-60-0x000007FEF32D0000-0x000007FEF3CF3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/892-61-0x000007FEF2230000-0x000007FEF32C6000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/892-63-0x00000000009E6000-0x0000000000A05000-memory.dmp
    Filesize

    124KB

    Download
  • memory/892-64-0x000000001D690000-0x000000001D98F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/892-65-0x00000000009E6000-0x0000000000A05000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1344-54-0x000007FEF32D0000-0x000007FEF3CF3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1344-55-0x000007FEF2230000-0x000007FEF32C6000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/1344-56-0x000007FEFB731000-0x000007FEFB733000-memory.dmp
    Filesize

    8KB

    Download