Overview

overview

10

Static

static

3

Level 7 Free.exe

windows7-x64

10

Level 7 Free.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2023 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Level 7 Free.exe

  • Size

    1.1MB

  • MD5

    1fa6f3e74dd5a7ef2fefc826a20dcec7

  • SHA1

    683b903de198378eed2bf8b0fc81a357d71885e3

  • SHA256

    b352a1acc928c427fd002159fa9fef4fb83f5e00517e4724c9f99666ba156255

  • SHA512

    1068a4a3cb145d02b501ea81bb938793f70fe80479a88b919b6ef1b0d35a8402aa777bdd59d85530ee7cd9410dcc165bfdcf4bbf6f07db6e21653c68357fa829

  • SSDEEP

    24576:bKFuHlslz9lTWEHpqCHFZ19P98/eGAsB9LPx4GjiRtwBYcWJ:bKFuHlUz9laEHpZlZ19P98/8k9LPxHQ3

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    DudePerfect247@mail.com
  • Password:
    @cowboy22

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Level 7 Free.exe
    "C:\Users\Admin\AppData\Local\Temp\Level 7 Free.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
      "C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3156
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
        PID:4808
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        2⤵
        • Accesses Microsoft Outlook accounts
        PID:4804
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        2⤵
          PID:4840

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
        Filesize

        12KB

        MD5

        22ebb12b7a9dac8c343a0e2cdbd9f855

        SHA1

        358ee416cf40e1c65d5747f5a9ccea752540b140

        SHA256

        ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85

        SHA512

        1eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
        Filesize

        12KB

        MD5

        22ebb12b7a9dac8c343a0e2cdbd9f855

        SHA1

        358ee416cf40e1c65d5747f5a9ccea752540b140

        SHA256

        ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85

        SHA512

        1eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
        Filesize

        12KB

        MD5

        22ebb12b7a9dac8c343a0e2cdbd9f855

        SHA1

        358ee416cf40e1c65d5747f5a9ccea752540b140

        SHA256

        ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85

        SHA512

        1eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        Filesize

        3KB

        MD5

        f94dc819ca773f1e3cb27abbc9e7fa27

        SHA1

        9a7700efadc5ea09ab288544ef1e3cd876255086

        SHA256

        a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

        SHA512

        72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

        Download Submit
      • memory/404-134-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/404-137-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/404-138-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/404-149-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/404-133-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/404-165-0x0000000001580000-0x0000000001590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4804-150-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4804-154-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4804-152-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4840-155-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/4840-157-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/4840-163-0x0000000000460000-0x0000000000529000-memory.dmp
        Filesize

        804KB

        Download
      • memory/4840-164-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download