bf13c318fc27bd784b2eeecbc30af0d2e148000443bd90054d14efcf723eadb3

Analysis

max time kernel
82s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02/07/2023, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

EyewareBST.exe
Size

10KB
MD5

9e074988037fb72702f6bf343e4cef46
SHA1

3e70db81ad788aa19bd06dcbf1fd676af19137bc
SHA256

bf13c318fc27bd784b2eeecbc30af0d2e148000443bd90054d14efcf723eadb3
SHA512

9cf96fb5f80e3d81173d6d5bc2ec1df28c99d1f435412ad28027c326c55af4976622f3b3ad25ee9045bf8ffd62d06c90ca7228408cca4f238cb8d10431cc4ab1
SSDEEP

192:+zmlHZ5NHvu/P3TMYUOwJWYrxXef+FnEMWugQYnN9x:+zmlHzNP4YnOwJWYrJemFZQ9

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	EyewareBST.exe

Executes dropped EXE 1 IoCs

pid	Process
1692	Eyeware.exe

Loads dropped DLL 2 IoCs

pid	Process
3776	EyewareBST.exe
3776	EyewareBST.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	EyewareBST.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 1692	3776	EyewareBST.exe	97
PID 3776 wrote to memory of 1692	3776	EyewareBST.exe	97
PID 3776 wrote to memory of 1692	3776	EyewareBST.exe	97

C:\Users\Admin\AppData\Local\Temp\EyewareBST.exe
"C:\Users\Admin\AppData\Local\Temp\EyewareBST.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Roaming\Eyeware\Eyeware.exe
  "C:\Users\Admin\AppData\Roaming\Eyeware\Eyeware.exe"
  2⤵
  - Executes dropped EXE
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
695KB

MD5
a00d393f55e7ee573dc34bccfe4b74ce

SHA1
a4ea782c85d65b78edc1acb675428015028a25fb

SHA256
d134937ec381729074694490e81983b08ec7991b31550eabafb9202e5b404f89

SHA512
b47b37d348d4c8fac4752690d018afdd32334f1c8efddb78f0fd903a18d6dac897fe5c4e8bcee86b8332b1d942c1d2d4c934288ed2124bd441cd55a7093a9357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
695KB

MD5
a00d393f55e7ee573dc34bccfe4b74ce

SHA1
a4ea782c85d65b78edc1acb675428015028a25fb

SHA256
d134937ec381729074694490e81983b08ec7991b31550eabafb9202e5b404f89

SHA512
b47b37d348d4c8fac4752690d018afdd32334f1c8efddb78f0fd903a18d6dac897fe5c4e8bcee86b8332b1d942c1d2d4c934288ed2124bd441cd55a7093a9357

Download Submit
C:\Users\Admin\AppData\Roaming\Eyeware\Eyeware.exe

Filesize
10KB

MD5
6fcf052c370886f2f2c25d96bbb6b67e

SHA1
20c0a8edb749f3739c5fb82649531c600543b969

SHA256
910e07d590e0eb0cb5028225a8ef2c1d15d49ed56dcddac64a387d4df8ed6551

SHA512
45f8dd3d8efc6131f15c8176da473d10b4d9462997c648fa6d441fb1788024d9e96018b6e748ba96e83e6c7edd9beb3a6bbd2fdb6a553e25fea1994fa3233f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Eyeware\Eyeware.exe

Filesize
10KB

MD5
6fcf052c370886f2f2c25d96bbb6b67e

SHA1
20c0a8edb749f3739c5fb82649531c600543b969

SHA256
910e07d590e0eb0cb5028225a8ef2c1d15d49ed56dcddac64a387d4df8ed6551

SHA512
45f8dd3d8efc6131f15c8176da473d10b4d9462997c648fa6d441fb1788024d9e96018b6e748ba96e83e6c7edd9beb3a6bbd2fdb6a553e25fea1994fa3233f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Eyeware\Eyeware.exe

Filesize
10KB

MD5
6fcf052c370886f2f2c25d96bbb6b67e

SHA1
20c0a8edb749f3739c5fb82649531c600543b969

SHA256
910e07d590e0eb0cb5028225a8ef2c1d15d49ed56dcddac64a387d4df8ed6551

SHA512
45f8dd3d8efc6131f15c8176da473d10b4d9462997c648fa6d441fb1788024d9e96018b6e748ba96e83e6c7edd9beb3a6bbd2fdb6a553e25fea1994fa3233f0e

Download Submit
memory/1692-159-0x00000000057A0000-0x00000000057A8000-memory.dmp

Filesize
32KB

Download
memory/1692-161-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1692-165-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1692-164-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1692-163-0x0000000007970000-0x000000000797E000-memory.dmp

Filesize
56KB

Download
memory/1692-162-0x00000000079A0000-0x00000000079D8000-memory.dmp

Filesize
224KB

Download
memory/1692-158-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1692-160-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3776-139-0x0000000005AA0000-0x0000000005B52000-memory.dmp

Filesize
712KB

Download
memory/3776-133-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/3776-134-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3776-143-0x0000000005BE0000-0x0000000005C02000-memory.dmp

Filesize
136KB

Download
memory/3776-142-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Filesize
472KB

Download
memory/3776-144-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download