hawkeye | 61f954a1c4e16eb74c56fb3104bd3d835a298416a133988ad4900f4569aca8d5

General

Target

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
Size

5.8MB
MD5

e0ad1b070ad9c0430f491d07c2708484
SHA1

f36de48706a23f38d7b3fa070d8948dbc9ac3491
SHA256

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
SHA512

d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
SSDEEP

98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2684-9-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2684-11-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2684-14-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2684-19-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2188-36-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2188-38-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2188-40-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2188-42-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2684-9-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2684-11-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2684-14-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2684-19-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/108-45-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/108-47-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/108-51-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2684-9-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2684-11-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2684-14-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2684-19-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2188-36-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2188-38-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2188-40-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2188-42-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/108-45-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/108-47-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/108-51-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2440 svchost.exe
1040 svchost.exe
1764 svchost.exe
2892 svchost.exe
2668 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exesvchost.exe

pid process

1248 647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
2440 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2440	svchost.exe
1040	svchost.exe
1764	svchost.exe
2892	svchost.exe
2668	svchost.exe

pid	process
1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
2440	svchost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1248 set thread context of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 2684 set thread context of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 set thread context of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2440 set thread context of 1040	2440	svchost.exe	svchost.exe
PID 1764 set thread context of 2892	1764	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

588 schtasks.exe
1316 schtasks.exe
2304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

pid process

2684 647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1040 svchost.exe
2892 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

description pid process

Token: SeDebugPrivilege 2684 647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

pid process

2684 647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

pid	process
588	schtasks.exe
1316	schtasks.exe
2304	schtasks.exe

pid	process
2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

pid	process
1040	svchost.exe
2892	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

pid	process
2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.execmd.exe647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exesvchost.exe

description	pid	process	target process
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2684	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
PID 1248 wrote to memory of 2440	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	svchost.exe
PID 1248 wrote to memory of 2440	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	svchost.exe
PID 1248 wrote to memory of 2440	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	svchost.exe
PID 1248 wrote to memory of 2440	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	svchost.exe
PID 1248 wrote to memory of 3008	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 3008	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 3008	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 3008	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 324	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 324	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 324	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 324	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 324 wrote to memory of 588	324	cmd.exe	schtasks.exe
PID 324 wrote to memory of 588	324	cmd.exe	schtasks.exe
PID 324 wrote to memory of 588	324	cmd.exe	schtasks.exe
PID 324 wrote to memory of 588	324	cmd.exe	schtasks.exe
PID 1248 wrote to memory of 884	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 884	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 884	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 1248 wrote to memory of 884	1248	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	cmd.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 2188	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2684 wrote to memory of 108	2684	647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe	vbc.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 1040	2440	svchost.exe	svchost.exe
PID 2440 wrote to memory of 2080	2440	svchost.exe	cmd.exe
PID 2440 wrote to memory of 2080	2440	svchost.exe	cmd.exe
PID 2440 wrote to memory of 2080	2440	svchost.exe	cmd.exe
PID 2440 wrote to memory of 2080	2440	svchost.exe	cmd.exe
PID 2440 wrote to memory of 3000	2440	svchost.exe	cmd.exe
PID 2440 wrote to memory of 3000	2440	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
"C:\Users\Admin\AppData\Local\Temp\647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe
"C:\Users\Admin\AppData\Local\Temp\647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:2188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1040

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:3000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:588

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {735ECB7E-D019-45D8-9D82-74131DE249AD} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
PID:820

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1764

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:752

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
2.4MB

MD5
13b0e0abeedf03b35d4c3e6cc3232efe

SHA1
5fcd91ca04524c885c8f1a1dc796dab061b9500b

SHA256
5ae59030722d7f1fcf6177f38d7ecee2c8abe7fe98cf6c872931fc08b7ddf6d0

SHA512
5296488219b2072de7c3a8424c1db25e68dd5c0cd16e2cfa4271a30a7291e2a95b0b7b9080480c0c4e4dd2fbe23afd1c1843b4e398298998348a120c40e0f535

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
256KB

MD5
548ab1d9c1de303aa077e440213c0b60

SHA1
c5ee66a716f613860b2f0e96fdf7c58a0888548a

SHA256
dcb354c25af6e255766b8316b0f802667f4510bcde025a2ee82708563173c92a

SHA512
d1497b61588beacbb54ef63e769b12bfb0c2a4f66cbd93e192dd66381f12d9dbf0cde7bfbe3620b79adf9d42dd3146691f0618179c9f96faf2262659e386b8f3

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
3.0MB

MD5
646f6ea76cd0f29d4c2d6b0c8935e39e

SHA1
59962777a41b8ca3dfd0c40147e013a3a6d9bda4

SHA256
0f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5

SHA512
480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442

Download Submit
memory/108-51-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/108-47-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/108-45-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1040-77-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-76-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-58-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-56-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-60-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-62-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1040-83-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1040-82-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-68-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-69-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1040-73-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1248-32-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-4-0x0000000005860000-0x0000000005BE6000-memory.dmp

Filesize
3.5MB

Download
memory/1248-1-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-2-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-0-0x0000000000ED0000-0x0000000001496000-memory.dmp

Filesize
5.8MB

Download
memory/1248-3-0x0000000005020000-0x0000000005060000-memory.dmp

Filesize
256KB

Download
memory/1764-87-0x0000000000DD0000-0x00000000010D4000-memory.dmp

Filesize
3.0MB

Download
memory/1764-86-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-88-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-106-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-52-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2440-54-0x00000000001F0000-0x0000000000208000-memory.dmp

Filesize
96KB

Download
memory/2440-27-0x00000000010A0000-0x00000000013A4000-memory.dmp

Filesize
3.0MB

Download
memory/2440-81-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-44-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-28-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-110-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-29-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/2684-17-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-39-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/2684-35-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2684-50-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/2684-43-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-7-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-53-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/2684-9-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-20-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-19-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-11-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-5-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-14-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2892-105-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-102-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2892-107-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-108-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/2892-104-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2892-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads