Analysis
-
max time kernel
145s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11-05-2023 16:17
General
-
Target
Level 7 Free.exe
-
Size
1.1MB
-
MD5
1fa6f3e74dd5a7ef2fefc826a20dcec7
-
SHA1
683b903de198378eed2bf8b0fc81a357d71885e3
-
SHA256
b352a1acc928c427fd002159fa9fef4fb83f5e00517e4724c9f99666ba156255
-
SHA512
1068a4a3cb145d02b501ea81bb938793f70fe80479a88b919b6ef1b0d35a8402aa777bdd59d85530ee7cd9410dcc165bfdcf4bbf6f07db6e21653c68357fa829
-
SSDEEP
24576:bKFuHlslz9lTWEHpqCHFZ19P98/eGAsB9LPx4GjiRtwBYcWJ:bKFuHlUz9laEHpZlZ19P98/8k9LPxHQ3
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Nirsoft 8 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Level 7 Free.exe"C:\Users\Admin\AppData\Local\Temp\Level 7 Free.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\RobloxPlayerBeta.exe"C:\Users\Admin\Desktop\RobloxPlayerBeta.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\RobloxPlayerBeta.exe"C:\Users\Admin\Desktop\RobloxPlayerBeta.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
12KB
MD522ebb12b7a9dac8c343a0e2cdbd9f855
SHA1358ee416cf40e1c65d5747f5a9ccea752540b140
SHA256ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85
SHA5121eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
12KB
MD522ebb12b7a9dac8c343a0e2cdbd9f855
SHA1358ee416cf40e1c65d5747f5a9ccea752540b140
SHA256ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85
SHA5121eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d
-
memory/316-87-0x000007FEF6F40000-0x000007FEF6F8C000-memory.dmpFilesize
304KB
-
memory/316-86-0x000007FEF6F40000-0x000007FEF6F8C000-memory.dmpFilesize
304KB
-
memory/1200-65-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-66-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-54-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-70-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-72-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-83-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1200-82-0x0000000000DC0000-0x0000000000E00000-memory.dmpFilesize
256KB
-
memory/1348-67-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1348-73-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1348-71-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1348-69-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1564-77-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1564-80-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1564-76-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1564-74-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1864-84-0x000007FEF6F40000-0x000007FEF6F8C000-memory.dmpFilesize
304KB
-
memory/1864-85-0x000007FEF6F40000-0x000007FEF6F8C000-memory.dmpFilesize
304KB