hawkeye | f2090573cb87041990365a6fec8532cdc4f1cd9928a1aae37e06d0f1f8a5e9d5

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Purchase List Xls.exe

NirSoft MailPassView 10 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2144-13-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2144-14-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2144-17-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2144-19-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2144-21-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2740-30-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2740-33-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2740-34-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2740-41-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2740-48-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 10 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2144-13-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2144-14-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2144-17-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2144-19-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2144-21-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2144-23-0x0000000004D90000-0x0000000004DD0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1668-38-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1668-40-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1668-46-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1668-42-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 15 IoCs

resource	yara_rule
behavioral1/memory/2144-13-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2144-14-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2144-17-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2144-19-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2144-21-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2144-23-0x0000000004D90000-0x0000000004DD0000-memory.dmp	Nirsoft
behavioral1/memory/2740-30-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2740-33-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2740-34-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1668-38-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1668-40-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2740-41-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1668-46-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1668-42-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2740-48-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Purchase List Xls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Purchase List Xls.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Purchase List Xls.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Purchase List Xls.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
4	whatismyipaddress.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Purchase List Xls.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Purchase List Xls.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 2144	2500	Purchase List Xls.exe	34
PID 2144 set thread context of 2740	2144	Purchase List Xls.exe	35
PID 2144 set thread context of 1668	2144	Purchase List Xls.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2540	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Purchase List Xls.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Purchase List Xls.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Purchase List Xls.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Purchase List Xls.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Purchase List Xls.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Purchase List Xls.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	Purchase List Xls.exe
2500	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe
2144	Purchase List Xls.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	Purchase List Xls.exe
Token: SeDebugPrivilege	2144	Purchase List Xls.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	Purchase List Xls.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2540	2500	Purchase List Xls.exe	30
PID 2500 wrote to memory of 2540	2500	Purchase List Xls.exe	30
PID 2500 wrote to memory of 2540	2500	Purchase List Xls.exe	30
PID 2500 wrote to memory of 2540	2500	Purchase List Xls.exe	30
PID 2500 wrote to memory of 2224	2500	Purchase List Xls.exe	33
PID 2500 wrote to memory of 2224	2500	Purchase List Xls.exe	33
PID 2500 wrote to memory of 2224	2500	Purchase List Xls.exe	33
PID 2500 wrote to memory of 2224	2500	Purchase List Xls.exe	33
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2500 wrote to memory of 2144	2500	Purchase List Xls.exe	34
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 2740	2144	Purchase List Xls.exe	35
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36
PID 2144 wrote to memory of 1668	2144	Purchase List Xls.exe	36

C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QAgHtvI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEAC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe
  "{path}"
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\Purchase List Xls.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion