Overview

overview

10

Static

static

3

Specificat...am.exe

windows7-x64

10

Specificat...am.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification and shematic Diagram.exe

  • Size

    1.4MB

  • MD5

    6d8d586a1feda0d474f0d3c6efbdd706

  • SHA1

    a66fc9adce64f992d7a0093d8e8c78b647ac2220

  • SHA256

    d69d517b51057301a5b0e44b6ecd8dceb2c6e9f6ba9db39a002d9078169d69d5

  • SHA512

    8de88c81690c38e3af5fdbecc53dc9aa042ad38f7bf60c2d7c3906e98210bf5c1a954aca861175e78fe12db4909fc16cc9f54cb33b6923c9b57975b6bf5d8829

  • SSDEEP

    24576:eUfUDtdfFQ0QPEhyxv4+gR9P+S2f8dQWdY7Dx1EAhd:eaUujPKy5q9+SvQWO7wA

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 8 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe crocyb.ntu
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
          4⤵
          • Creates scheduled task(s)
          PID:2472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        0
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1196
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
            PID:2808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qwcfi.wyz
      Filesize

      520KB

      MD5

      139eac7d626feb59f0c7da60ac4060a3

      SHA1

      1227f2eccbc39c372e860702b2dbade6ed4ec3a5

      SHA256

      7cfac465123c728deea11614fde04e28713dd214ffb8ec2c06e24463693f9bb6

      SHA512

      a5e440c6bbc5e1ab536ac84b47a977054e65e3f5df5262abd046057e6b838cd314d7e2b5f4cc20695dbfb3e4a9141e7be9c6f1785fc52eed20037da807353312

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
      Filesize

      915KB

      MD5

      b06e67f9767e5023892d9698703ad098

      SHA1

      acc07666f4c1d4461d3e1c263cf6a194a8dd1544

      SHA256

      8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

      SHA512

      7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

      Download Submit

    • memory/1196-27-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1196-31-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1196-28-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1196-30-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2668-20-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2668-23-0x0000000000AE0000-0x0000000000B68000-memory.dmp

      Filesize

      544KB

      Download

    • memory/2668-26-0x0000000000530000-0x0000000000538000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2668-19-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2668-21-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2668-16-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2668-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2808-35-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2808-33-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2808-32-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2808-38-0x0000000000400000-0x0000000000458000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3016-22-0x0000000000E60000-0x0000000000F4B000-memory.dmp

      Filesize

      940KB

      Download