hawkeye | 4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Size

1.1MB
MD5

53277617691e152fa4c3c4d8e829cb98
SHA1

27ea079be2661093bb51dc3f8bb446ce23442805
SHA256

4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5
SHA512

ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d
SSDEEP

24576:nUMXIaug4/aJTMxiveFrZTssjbSEmsY6hnZggGEzHSz:U8/MaJoo2FrZIsjbS76hSlEzSz

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
moneyY23@@YYCK

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3708-58-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral2/memory/2844-66-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2844-67-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/2844-69-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3708-58-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral2/memory/1000-71-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/1000-70-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/1000-78-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-58-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/2844-66-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2844-67-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2844-69-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1000-71-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/1000-70-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/1000-78-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

filename.exefilename.exefilename.exefilename.exe

pid	Process
4268	filename.exe
3472	filename.exe
748	filename.exe
3708	filename.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

filename.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Desktop\\filename.exe"	filename.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Desktop\\filename.exe"	filename.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
29	whatismyipaddress.com
31	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

filename.exefilename.exe

description	pid	Process	procid_target
PID 4268 set thread context of 3708	4268	filename.exe	91
PID 3708 set thread context of 2844	3708	filename.exe	99
PID 3708 set thread context of 1000	3708	filename.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exefilename.exe

pid	Process
1000	vbc.exe
1000	vbc.exe
3708	filename.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exefilename.exefilename.exedw20.exe

description	pid	Process
Token: SeDebugPrivilege	228	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
Token: SeDebugPrivilege	4268	filename.exe
Token: SeDebugPrivilege	3708	filename.exe
Token: SeRestorePrivilege	1200	dw20.exe
Token: SeBackupPrivilege	1200	dw20.exe
Token: SeBackupPrivilege	1200	dw20.exe
Token: SeBackupPrivilege	1200	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

filename.exe

pid	Process
3708	filename.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exefilename.exefilename.exe

description	pid	Process	procid_target
PID 228 wrote to memory of 4268	228	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	86
PID 228 wrote to memory of 4268	228	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	86
PID 228 wrote to memory of 4268	228	53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe	86
PID 4268 wrote to memory of 3472	4268	filename.exe	89
PID 4268 wrote to memory of 3472	4268	filename.exe	89
PID 4268 wrote to memory of 3472	4268	filename.exe	89
PID 4268 wrote to memory of 748	4268	filename.exe	90
PID 4268 wrote to memory of 748	4268	filename.exe	90
PID 4268 wrote to memory of 748	4268	filename.exe	90
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 4268 wrote to memory of 3708	4268	filename.exe	91
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 2844	3708	filename.exe	99
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1000	3708	filename.exe	102
PID 3708 wrote to memory of 1200	3708	filename.exe	113
PID 3708 wrote to memory of 1200	3708	filename.exe	113
PID 3708 wrote to memory of 1200	3708	filename.exe	113

C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53277617691e152fa4c3c4d8e829cb98_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\Desktop\filename.exe
  "C:\Users\Admin\Desktop\filename.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\Desktop\filename.exe
    "C:\Users\Admin\Desktop\filename.exe"
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Users\Admin\Desktop\filename.exe
    "C:\Users\Admin\Desktop\filename.exe"
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Users\Admin\Desktop\filename.exe
    "C:\Users\Admin\Desktop\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2452
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

Filesize
1KB

MD5
1ba25895dc793e6826cbe8d61ddd8293

SHA1
6387cc55cbe9f71ae41b2425192b900a1eb3a54f

SHA256
cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a

SHA512
1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6

Filesize
1KB

MD5
13affd7ca33dffe5e0c718ae0c8b77b0

SHA1
b4d5ba26fb29de5423119b234347fc0e3261bb3f

SHA256
7ca93293e1b412edaf65243efdb05653b67f2fe0c9e863472ae5688660650f91

SHA512
6d77b1b93b4fc166f1cb27e57f302f8781355eb2ae4e27a8a8bbc16ff2af84a26cdfc8a12d152e0e2838abde4a50911ebbbf11332d8b9b567854619aa3b195d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_3ED18E5A6C9AC2A20DED4172F963FCFB

Filesize
1KB

MD5
f86cfb1e5b9a894704fa752148c71139

SHA1
d12306e5185fc3ed2a76507dbedb63b2f063974f

SHA256
e567b2ab8e30a631bb3b367c273d36468293f7d02f054f53e3d4804f360171ad

SHA512
81fbd75b9b7e8650f62fa7ecd203f89b9251ef22604531120b28459014657b13d3ac5282a7da0e4ff8f630e8622f7d01d0d8a932c4e3a5747d85818e013397bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_3F14C4AF49D87182E1B265DB9807EDFF

Filesize
5B

MD5
4842e206e4cfff2954901467ad54169e

SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
7e8bce832249fdb653c054acc098fc27

SHA1
3d8946d6577275266208d6dd21c910fb4f312ec0

SHA256
fbc50e30a311af0b72d8b4ae66a4471b1fdf6fc3873f157282a3621930989108

SHA512
b09d0e2195c77de17d42a8b67fcfbf83bd2045764a24162c24687a63014e582c48fc89550b9e5916e149d52e5c51911220a4cd6cad09c3abf236e3c43071aadb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

Filesize
182B

MD5
4b086134c26579a566d6fe86b25464e7

SHA1
da12e7b1031ca66b254beaac1867cd07983f0f3e

SHA256
784081db48d0756ffb21b3a4356e1f4e9ee641dc3ca259dc65499797ab010707

SHA512
30ee6a1e1f85b27189098057ca6e398b9a8e6675fbe9a821ba8c0716d0d7ff028a240aa235ede6914b5c518de72a8de6312eb313834d64a9fd1538fc3a22f263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_244F8153991C95DE7516D65AE7D1F0F6

Filesize
398B

MD5
ea33fd8f3f5dca5c0a9a595a76d5b477

SHA1
3e4c3aaecdb078a05fc0717cc79d9e983491411a

SHA256
8718851d9aaea8863cdba8e7d4eee3ebce7e5841ef912517c75328083dd419fc

SHA512
f759f5f9f06c10464d9a6ff74e1e656245aa4fff4f19f15b14a0afdc971e6f2a7f279b8b265b5444c4aed3ff2bde88aade5576aa296144abae66bf53f832d116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_3ED18E5A6C9AC2A20DED4172F963FCFB

Filesize
394B

MD5
fb082cfa266909dbd4d8424f080fbfe6

SHA1
bbfc02a9a81b570acdb50c9910a50d489baf78fd

SHA256
c2f6e443b397b37bc35f8340fce09eae40339ab3343414f7ddeb782b2783bc4f

SHA512
c05ab9bd472318fd997cffc3a677c081759cae1a2b43d696b763a6e133725506a323e35c57ee247207177ba61db4ee4f7ca71a2839f80957af178a2ee82a547c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE

Filesize
408B

MD5
91583c5de841c7e68beb6e30ece3c8ca

SHA1
0cecbd0bd1814da4ce52494dce223014dcb21583

SHA256
35ae84dd6dc7cdb1181ff599ba3258bcc3240763d9e3224c58eed129f0c0d607

SHA512
199779475917e711b9ef26182ee2423391db2a5817dafa23279b8efdd76240a315fdd9ceb4abd6e532822ff9666841fc965aae8e5528ae55dbd7a1b497d409bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_3F14C4AF49D87182E1B265DB9807EDFF

Filesize
476B

MD5
98cd993d3997c978fe8ff85a7c725664

SHA1
2486159cce47f4ba978fe89199af9afa91f4cdc3

SHA256
6f424fe0deca77cea0f3e04c74e508fab7d84f9685882083021b448ddfd3bee2

SHA512
3905513cd55b51b6529e6cb26a83abf915d4222eb3cd06d2362c067cb7f58e04bcf379e7c62798e6b95becc2709c1e893f9c87f0712b18e2b1a05a2e890f0244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_A0D7F106FE392D937518E3CD85A9A087

Filesize
398B

MD5
3bf9d2e68277920e04ddc6bdd9478733

SHA1
99ec4d90fe89ba3487644dfba0d790f93186a228

SHA256
8178295686ddf0663b9c7e6a3799d229e274bbfb25e567cc06278d881565e75f

SHA512
9aa9d2c5454516ff1526d319e47a8c07af48b713cfc9d03cf7a57410d12611d17fe91a9c3b720f659ce369a7c2b789c6d012522c06ee682fbc51544cab9a8e61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
49656318658bd8b3af20662d3c02d73d

SHA1
2720469fe14ec8f08dd3eabc8ccaea689090bf7d

SHA256
f8901e3b68c9847a8dc87a23c6ecf115bb3b5b744e3d7ec0b977b3894210296b

SHA512
c2e1ff6adca3c1bf930300171881589de4513011f5ff9c767ef227a2718d6476510c473320fb72a1d9afbf2a8de596cfebc07736d6068447b5b35f7ce82e1538

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\Desktop\filename.exe

Filesize
1.1MB

MD5
53277617691e152fa4c3c4d8e829cb98

SHA1
27ea079be2661093bb51dc3f8bb446ce23442805

SHA256
4709aa80f390c88e8fff0dfd4dc049150a3c627dda06a78b0d7b407c1bc46ac5

SHA512
ebc2ab96fb91af26f4536d9320e9f4842efb8d845b9e2ecc8420c8d0423b3e4f35b631ce2636e8662cbbefcabf4bfafccec0f51b352aa174c19ab16d72b0ef0d

Download Submit
memory/228-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/228-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/228-47-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/228-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-71-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1000-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1000-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2844-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3708-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3708-63-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-60-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-61-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-62-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-80-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-81-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3708-88-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4268-37-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4268-46-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4268-45-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4268-79-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download