hawkeye | 2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f

Analysis

max time kernel
151s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_c521f79249320c77b5b20007f871fbb1.exe
Size

951KB
MD5

c521f79249320c77b5b20007f871fbb1
SHA1

8b772e27c77fd4880b79fe8466bff21e21e1aa2a
SHA256

2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f
SHA512

f471c23576f61e2066e09c44ae3beab374153fdafebfb6cc03e140942c15d3fa273394848dd3a4ba0bd07c7883b678d0d2dcbc1be1ea5a381882b101e55107bb
SSDEEP

24576:9Sr69b1sIzdkdUDuCppG/HNs2HRT3s4ni4gSUf4:B9b1xdySu84lsMRzVniLw

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.congtydirect.com
Port:
587
Username:
[email protected]
Password:
Fest@@21

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 12 IoCs

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1196-84-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1196-86-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1196-88-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1196-91-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 12 IoCs

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1196-84-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1196-86-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1196-88-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1196-91-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables referencing many email and collaboration clients. Observed in information stealers 12 IoCs

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1828-61-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1828-63-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1828-65-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1828-83-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 12 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral1/memory/1828-61-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1828-63-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1828-65-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1828-83-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 12 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral1/memory/1196-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1196-86-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1196-88-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1196-91-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

resource	yara_rule
behavioral1/memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral1/memory/1828-61-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1828-63-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1828-65-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1828-83-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1196-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1196-86-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1196-88-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1196-91-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122c0-4.dat	UPX
behavioral1/memory/2220-6-0x0000000000190000-0x00000000001EC000-memory.dmp	UPX
behavioral1/memory/2744-41-0x0000000000400000-0x000000000045C000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
2744	M.exe
2844	M.exe

Loads dropped DLL 5 IoCs

pid	Process
2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe
2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe
2744	M.exe
2744	M.exe
2844	M.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000122c0-4.dat	upx
behavioral1/memory/2220-6-0x0000000000190000-0x00000000001EC000-memory.dmp	upx
behavioral1/memory/2744-41-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	VirusShare_c521f79249320c77b5b20007f871fbb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	M.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2844	2744	M.exe	29
PID 2844 set thread context of 1828	2844	M.exe	34
PID 2844 set thread context of 1196	2844	M.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe
2844	M.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2020	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	M.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	M.exe
2744	M.exe
2844	M.exe
2020	AcroRd32.exe
2020	AcroRd32.exe
2020	AcroRd32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2220 wrote to memory of 2744	2220	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	28
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2744 wrote to memory of 2844	2744	M.exe	29
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 2020	2844	M.exe	33
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1828	2844	M.exe	34
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35
PID 2844 wrote to memory of 1196	2844	M.exe	35

C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf

Filesize
76KB

MD5
a044a4eaea50ac33f65fd614f4b78509

SHA1
f4c1d9a86ee7769492293508f650f67dc3c523f7

SHA256
8f9c44049129703f3d6d3beeff6ac8d576df276a56e8f7f85c86beda912ed8c4

SHA512
9fbeae185958d0c7868bc21fd08220cc8e1f6aaa6cea14ffbb257a93355ba043e294be25ae40c8f80d75563bdd1f9cec3f29afa944b3cac11664ec4b066822d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
749KB

MD5
aa9da8f4f5e434d8449c17efccebef5e

SHA1
99487070bb0da9e0c2df138b111e9bebc2a271f2

SHA256
16b6bdc384d7b4821d541eb40f1be8c3ca2b027b9a329e77eb4c13800b3e8ec2

SHA512
768fb0d93c91ad868f7b2cfc0fc67ce2e20293e40ec1e4216bb805232a2f02cdfd3ec225c29c40bed6c4f505aa35b788f5291661b99d2773c24d395c825ef0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
104KB

MD5
42ccd69a3be9618d329de0ea0fde3a81

SHA1
47e9897f303496eb9cd5883f9cdb283b6eee65d3

SHA256
14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

SHA512
33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0fba95c4639f3345f5458039ebb8ac38

SHA1
2eba13a0b9475d62ea00207196ea6442b6058555

SHA256
7b6ae768ec682a27364b9a8d86c8d7f91bc459daaf6a42df6423633abeb1870c

SHA512
6ea238f1c783f35811533d76967ce6b3120e72c03e19eb616965259745b025080dd7f6f727f251c6b13aff252953aea5e524e7ef0ab1198e24257fa19881c927

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
140KB

MD5
bc9932d562808f046db8cf2d225b317e

SHA1
50827e282cb74b846b8ef79ccd3f5887e3a941f2

SHA256
49a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7

SHA512
d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22

Download Submit
memory/1196-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1196-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1196-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1196-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1828-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-49-0x0000000000190000-0x00000000001EC000-memory.dmp

Filesize
368KB

Download
memory/2220-6-0x0000000000190000-0x00000000001EC000-memory.dmp

Filesize
368KB

Download
memory/2220-11-0x0000000000190000-0x00000000001EC000-memory.dmp

Filesize
368KB

Download
memory/2744-52-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2744-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2744-22-0x0000000000250000-0x0000000000255000-memory.dmp

Filesize
20KB

Download
memory/2744-27-0x0000000000370000-0x00000000003CC000-memory.dmp

Filesize
368KB

Download
memory/2844-31-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-50-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-58-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2844-45-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-60-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-43-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-38-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-35-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-34-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-33-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-32-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-29-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-26-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/2844-25-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2844-92-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download