Analysis

  • max time kernel
    112s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 22:49

General

  • Target

    034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe

  • Size

    421KB

  • MD5

    0a2b49b01d618678868d19636000c625

  • SHA1

    38d83bff735ab583975d95c462e81e33741aa0da

  • SHA256

    034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f

  • SHA512

    2336cf5a155e0395cab155917999ff3b9b79b30c913513b528d74f56acff0473e66c6fe3e9ab9d1198835aeb4b772b82c8457d718538c6292581ec8dfaec5a0b

  • SSDEEP

    6144:wZuuObR8sVImcyYJnup+8ejV0rXkSjHFBTVm0+HhGsv7EqElNldmkHOKwKyWhwHE:nV+mzLsc/TwlMsDVE9d4HjjKjN

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\034d832b3e869c0c04b32297842f779fb9a28d08d4cb3f8c39e9fb278e890b3f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exe
        PAYMENT.sfx.exe -phdsa32w8hh556 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:1944
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            5⤵
              PID:1676

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Defense Evasion

    Scripting

    1
    T1064

    Discovery

    System Information Discovery

    1
    T1082

    Collection

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exe
      Filesize

      353KB

      MD5

      0d41db7f519edbaf94ef1a9758277922

      SHA1

      7bd810e5e1eaca7d95a1018f7511b95cde2c3ddb

      SHA256

      d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133

      SHA512

      b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exe
      Filesize

      353KB

      MD5

      0d41db7f519edbaf94ef1a9758277922

      SHA1

      7bd810e5e1eaca7d95a1018f7511b95cde2c3ddb

      SHA256

      d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133

      SHA512

      b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.bat
      Filesize

      40B

      MD5

      e6cd8ea602d1579a98bb1e28f0e7d41c

      SHA1

      a0f2bac9a3bdc7cfc93c423139fc8362403a98ec

      SHA256

      f229d2fd8c7b71f420e0c15b9e69118c21f2779d4e1dcc242409dffce1e959da

      SHA512

      3b426ed9ea945cb3d42df0584970a646e14d7bd269530cd18b1c9896aebe7fb54b58fd4353b236c6b1f4ca675cf4a8b516f767361f358ac04afdad7613388895

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\uy5er3w92wq.bat
      Filesize

      40B

      MD5

      e6cd8ea602d1579a98bb1e28f0e7d41c

      SHA1

      a0f2bac9a3bdc7cfc93c423139fc8362403a98ec

      SHA256

      f229d2fd8c7b71f420e0c15b9e69118c21f2779d4e1dcc242409dffce1e959da

      SHA512

      3b426ed9ea945cb3d42df0584970a646e14d7bd269530cd18b1c9896aebe7fb54b58fd4353b236c6b1f4ca675cf4a8b516f767361f358ac04afdad7613388895

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe
      Filesize

      520KB

      MD5

      51a65fd9c7d2ac354e07a3ccf1f701b2

      SHA1

      a52da29f6aa612b4dcb33fec4eaf801e45927b2c

      SHA256

      24d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288

      SHA512

      e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe
      Filesize

      520KB

      MD5

      51a65fd9c7d2ac354e07a3ccf1f701b2

      SHA1

      a52da29f6aa612b4dcb33fec4eaf801e45927b2c

      SHA256

      24d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288

      SHA512

      e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe
      Filesize

      520KB

      MD5

      51a65fd9c7d2ac354e07a3ccf1f701b2

      SHA1

      a52da29f6aa612b4dcb33fec4eaf801e45927b2c

      SHA256

      24d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288

      SHA512

      e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Local\Temp\RarSFX0\PAYMENT.sfx.exe
      Filesize

      353KB

      MD5

      0d41db7f519edbaf94ef1a9758277922

      SHA1

      7bd810e5e1eaca7d95a1018f7511b95cde2c3ddb

      SHA256

      d95aea380c8460380f31a3647e74c71be30f234f800fc0423817365853d08133

      SHA512

      b0cc5404a490a8eb55ee09ad658a8aa1973134a2028cace1bc20cdfdeb1cd81ce2636a22b04aac8076428ce1aa29ecad943ca1f546ed2506df51b15885fc7599

    • \Users\Admin\AppData\Local\Temp\RarSFX1\PAYMENT.exe
      Filesize

      520KB

      MD5

      51a65fd9c7d2ac354e07a3ccf1f701b2

      SHA1

      a52da29f6aa612b4dcb33fec4eaf801e45927b2c

      SHA256

      24d2ccc6308ea383cebd3906fe2c440c783eb0eb87d1e36954cdb739a770f288

      SHA512

      e58e067353d1affb65519d4ca95d5a09d9ab385798278e86c1f6ca9b327e49fac186e5420f7eb411ded9d468a0b1eb6a9e3a2421696d776957ee14be33a41f87

    • memory/876-81-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/1048-80-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

    • memory/1676-91-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1676-93-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1676-97-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/1740-85-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1740-86-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1740-77-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1740-100-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1740-107-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1740-112-0x0000000000250000-0x0000000000290000-memory.dmp
      Filesize

      256KB

    • memory/1944-84-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/1944-87-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/1944-90-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/1944-82-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB