Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2023 23:24

General

  • Target

    47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe

  • Size

    421KB

  • MD5

    d7785eb032bdc8df551ceda9933688d0

  • SHA1

    5e454bd1f8097155f40bec0d64c60f4aae1c988c

  • SHA256

    47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47

  • SHA512

    f71fcaee801179df15c505a77da079aebe45d80c325bc7f60d4afdd2ed25e1589fa6d20ba6414f2adee05c49add6e337dcf29c0ff3cf6b44c531b8e6d4308c16

  • SSDEEP

    6144:wZuuObR8sVImcyYJnuptejV0rXkSfvyXwXtYV/wADJ2oC9IAyBDxnlYAVjk10k9j:nV+mzLgkvywC2ok9OpC0k9a3hAeXAZ

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe
    "C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe
        Payment.sfx.exe -phy6er34w55 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4496
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:4368
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            5⤵
              PID:5052
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 2388
              5⤵
              • Drops file in Windows directory
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:4428

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Defense Evasion

    Scripting

    1
    T1064

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Collection

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat
      Filesize

      37B

      MD5

      c1c7b88c2e498633661fd417629642e4

      SHA1

      31f71ea8ed60a6be976892aeb577449b83cac656

      SHA256

      400295a410683b336d989f0d3f4143909eed33c82a0b6e2bc177b8a468044408

      SHA512

      528079b772f0ca5e059782b7b93c4f3799bdb895dd1b2e8185b975b1b6cd9ed1e49df3d01717cf55d735e089e8f416b4a8a4c396a64ab5e3772d135bd7457cfd

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe
      Filesize

      353KB

      MD5

      161991a5baa0cdd7b0276afc55c15824

      SHA1

      accb43eba8d28d58536eae0f29fbc5f2108a106c

      SHA256

      bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c

      SHA512

      e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe
      Filesize

      353KB

      MD5

      161991a5baa0cdd7b0276afc55c15824

      SHA1

      accb43eba8d28d58536eae0f29fbc5f2108a106c

      SHA256

      bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c

      SHA512

      e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe
      Filesize

      521KB

      MD5

      b8a34d1b414d8d8aec00b99032692d38

      SHA1

      3a8ce329277832b268d395eb8b4971eb63cdbbe9

      SHA256

      524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

      SHA512

      ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe
      Filesize

      521KB

      MD5

      b8a34d1b414d8d8aec00b99032692d38

      SHA1

      3a8ce329277832b268d395eb8b4971eb63cdbbe9

      SHA256

      524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

      SHA512

      ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe
      Filesize

      521KB

      MD5

      b8a34d1b414d8d8aec00b99032692d38

      SHA1

      3a8ce329277832b268d395eb8b4971eb63cdbbe9

      SHA256

      524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

      SHA512

      ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      3KB

      MD5

      f94dc819ca773f1e3cb27abbc9e7fa27

      SHA1

      9a7700efadc5ea09ab288544ef1e3cd876255086

      SHA256

      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

      SHA512

      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    • memory/2724-208-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

    • memory/2724-164-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

    • memory/4368-163-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/4368-161-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/4368-159-0x0000000000400000-0x000000000041B000-memory.dmp
      Filesize

      108KB

    • memory/4496-166-0x0000000001240000-0x0000000001250000-memory.dmp
      Filesize

      64KB

    • memory/4496-167-0x0000000001240000-0x0000000001250000-memory.dmp
      Filesize

      64KB

    • memory/4496-156-0x0000000001240000-0x0000000001250000-memory.dmp
      Filesize

      64KB

    • memory/4496-155-0x0000000001240000-0x0000000001250000-memory.dmp
      Filesize

      64KB

    • memory/4592-165-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/4592-206-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/5052-168-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/5052-170-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

    • memory/5052-176-0x0000000000460000-0x0000000000529000-memory.dmp
      Filesize

      804KB

    • memory/5052-177-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB