Overview

overview

10

Static

static

3

Specificat...am.exe

windows7-x64

10

Specificat...am.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification and shematic Diagram.exe

  • Size

    1.4MB

  • MD5

    6d8d586a1feda0d474f0d3c6efbdd706

  • SHA1

    a66fc9adce64f992d7a0093d8e8c78b647ac2220

  • SHA256

    d69d517b51057301a5b0e44b6ecd8dceb2c6e9f6ba9db39a002d9078169d69d5

  • SHA512

    8de88c81690c38e3af5fdbecc53dc9aa042ad38f7bf60c2d7c3906e98210bf5c1a954aca861175e78fe12db4909fc16cc9f54cb33b6923c9b57975b6bf5d8829

  • SSDEEP

    24576:eUfUDtdfFQ0QPEhyxv4+gR9P+S2f8dQWdY7Dx1EAhd:eaUujPKy5q9+SvQWO7wA

Score
10/10
hawkeyecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe crocyb.ntu
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
          4⤵
          • Creates scheduled task(s)
          PID:2496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        0
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:3108
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qwcfi.wyz
    Filesize

    520KB

    MD5

    139eac7d626feb59f0c7da60ac4060a3

    SHA1

    1227f2eccbc39c372e860702b2dbade6ed4ec3a5

    SHA256

    7cfac465123c728deea11614fde04e28713dd214ffb8ec2c06e24463693f9bb6

    SHA512

    a5e440c6bbc5e1ab536ac84b47a977054e65e3f5df5262abd046057e6b838cd314d7e2b5f4cc20695dbfb3e4a9141e7be9c6f1785fc52eed20037da807353312

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
    Filesize

    915KB

    MD5

    b06e67f9767e5023892d9698703ad098

    SHA1

    acc07666f4c1d4461d3e1c263cf6a194a8dd1544

    SHA256

    8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

    SHA512

    7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit

  • memory/1784-23-0x000000000FF50000-0x000000000FFB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1784-16-0x000000000DBB0000-0x000000000DC4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1784-17-0x000000000E220000-0x000000000E7C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1784-18-0x000000000DC70000-0x000000000DD02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1784-19-0x000000000DB80000-0x000000000DB8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1784-20-0x000000000DF20000-0x000000000DF76000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1784-13-0x0000000000F00000-0x0000000001F00000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1784-24-0x0000000010720000-0x0000000010728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1784-15-0x0000000000F00000-0x0000000000F88000-memory.dmp

    Filesize

    544KB

    Download

  • memory/2476-14-0x0000000000230000-0x000000000031B000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3108-25-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3108-28-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3108-29-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3108-30-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3108-26-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3264-31-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3264-34-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3264-32-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3264-41-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download