Analysis
-
max time kernel
300s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
13-06-2023 18:41
General
-
Target
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
-
Size
679KB
-
MD5
7f075616272cca52e731c11080d0f3ef
-
SHA1
b5142fe556fc114eb221c4b14ad9d19c9e83fe83
-
SHA256
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
-
SHA512
f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
-
SSDEEP
12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
-
Nirsoft 16 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39974BA3.emfFilesize
5KB
MD5d5c5e16f5d1a574b4643ca75feeff934
SHA13a4498112d3c8196b87120923c449db83477129c
SHA256b32ef8a281ffc811ed9fb7ac4a27cea7cee2d95e5f98e5aab7e6c3c549522c52
SHA5121c08179c39b678d8aaf15024db1d83d50170c82b8986c180a9c2318eeb60358424b96c4b5443d9c983e1e8df3d31512bb6bff4e95ec35d45224b57593d4adab0
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
59B
MD59b294a29cba9a63552604ad89c4d9444
SHA18e5bb542f31fccad06e69502c7dba5a62e9b9cb9
SHA256a3f87150ecc0223f9099533d33c8839a435a2276bf243c7fbf0f063a182d31e1
SHA512c45e8ae93eb82aefa86f7e46cbf47dfed4738b88b94e37925bc716a9b304ac6827f55d007f676783df6fed3a84d552f00ddf2dd00cbffdc1348f215878030a51
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
memory/544-162-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/544-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/544-158-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/752-103-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-111-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-108-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/752-106-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-104-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-105-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-113-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1172-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1172-96-0x0000000005C40000-0x0000000005C42000-memory.dmpFilesize
8KB
-
memory/1232-100-0x0000000000260000-0x00000000002A0000-memory.dmpFilesize
256KB
-
memory/1440-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-155-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-154-0x0000000000420000-0x0000000000487000-memory.dmpFilesize
412KB
-
memory/1440-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1480-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1480-165-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-136-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-153-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-148-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1508-206-0x0000000000180000-0x00000000001C0000-memory.dmpFilesize
256KB
-
memory/1520-205-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1520-207-0x0000000002140000-0x0000000002180000-memory.dmpFilesize
256KB
-
memory/1520-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1520-198-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1520-202-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1528-122-0x0000000000240000-0x0000000000280000-memory.dmpFilesize
256KB