hawkeye_reborn | ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

General

Target

e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
Size

1.0MB
MD5

e3666ecb82584556a39520ea0e788ccc
SHA1

5ef3da4d7acf44376974b903cc50b28763ab9cb7
SHA256

ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8
SHA512

39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42
SSDEEP

12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G

Score

10^/10

hawkeye_reborn m00nd3v_logger discovery infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2912-56-0x0000000001E90000-0x0000000001F06000-memory.dmp	Nirsoft

M00nD3v Logger payload 10 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/2672-3-0x00000000047A0000-0x000000000484A000-memory.dmp	m00nd3v_logger
behavioral1/memory/2912-44-0x0000000000110000-0x00000000001A0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2912-42-0x0000000000110000-0x00000000001A0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2912-47-0x0000000000110000-0x00000000001A0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2912-51-0x0000000000110000-0x00000000001A0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2912-55-0x0000000000110000-0x00000000001A0000-memory.dmp	m00nd3v_logger
behavioral1/memory/3060-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/3060-74-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/3060-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/3008-151-0x0000000000080000-0x0000000000110000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2912-56-0x0000000001E90000-0x0000000001F06000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2912-56-0x0000000001E90000-0x0000000001F06000-memory.dmp	WebBrowserPassView

Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

2700 windows.exe
Loads dropped DLL 2 IoCs

Processes:

e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exewindows.exe

pid process

2672 e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
2700 windows.exe

pid	process
2672	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
2700	windows.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DsvHelper\\windows.lnk"	reg.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 bot.whatismyipaddress.com

flow	ioc
2	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 15 IoCs

Processes:

windows.exe

description	pid	process	target process
PID 2700 set thread context of 1656	2700	windows.exe	RegAsm.exe
PID 2700 set thread context of 2912	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 3060	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 1508	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 1476	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 1044	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 2496	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 3008	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 2916	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 2060	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 444	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 1100	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 1040	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 2724	2700	windows.exe	MSBuild.exe
PID 2700 set thread context of 980	2700	windows.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeRegAsm.exeMSBuild.exeMSBuild.exeMSBuild.execmd.exereg.exeMSBuild.exeMSBuild.exeMSBuild.exee3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exeMSBuild.exeMSBuild.exewindows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

windows.exeRegAsm.exe

pid	process
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
2700	windows.exe
2700	windows.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe
1656	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

windows.exeRegAsm.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2700	windows.exe
Token: SeDebugPrivilege	1656	RegAsm.exe
Token: SeDebugPrivilege	2912	MSBuild.exe
Token: SeDebugPrivilege	3060	MSBuild.exe
Token: SeDebugPrivilege	1508	MSBuild.exe
Token: SeDebugPrivilege	1476	MSBuild.exe
Token: SeDebugPrivilege	1044	MSBuild.exe
Token: SeDebugPrivilege	2496	MSBuild.exe
Token: SeDebugPrivilege	3008	MSBuild.exe
Token: SeDebugPrivilege	2916	MSBuild.exe
Token: SeDebugPrivilege	2060	MSBuild.exe
Token: SeDebugPrivilege	444	MSBuild.exe
Token: SeDebugPrivilege	1100	MSBuild.exe
Token: SeDebugPrivilege	1040	MSBuild.exe
Token: SeDebugPrivilege	2724	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exewindows.execmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 2700	2672	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	windows.exe
PID 2672 wrote to memory of 2700	2672	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	windows.exe
PID 2672 wrote to memory of 2700	2672	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	windows.exe
PID 2672 wrote to memory of 2700	2672	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	windows.exe
PID 2700 wrote to memory of 2588	2700	windows.exe	cmd.exe
PID 2700 wrote to memory of 2588	2700	windows.exe	cmd.exe
PID 2700 wrote to memory of 2588	2700	windows.exe	cmd.exe
PID 2700 wrote to memory of 2588	2700	windows.exe	cmd.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2208	2588	cmd.exe	reg.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 1656	2700	windows.exe	RegAsm.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 2912	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 3060	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1508	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1476	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1044	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1044	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1044	2700	windows.exe	MSBuild.exe
PID 2700 wrote to memory of 1044	2700	windows.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe" -n
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe
Filesize
1.0MB

MD5
e3666ecb82584556a39520ea0e788ccc

SHA1
5ef3da4d7acf44376974b903cc50b28763ab9cb7

SHA256
ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

SHA512
39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42

Download Submit
memory/1508-85-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1656-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2672-3-0x00000000047A0000-0x000000000484A000-memory.dmp

Filesize
680KB

Download
memory/2672-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/2672-14-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-1-0x0000000010150000-0x0000000010258000-memory.dmp

Filesize
1.0MB

Download
memory/2700-21-0x0000000000720000-0x000000000073A000-memory.dmp

Filesize
104KB

Download
memory/2700-22-0x0000000000720000-0x0000000000734000-memory.dmp

Filesize
80KB

Download
memory/2700-17-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-15-0x0000000010C90000-0x0000000010D98000-memory.dmp

Filesize
1.0MB

Download
memory/2700-16-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-58-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-57-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-55-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-40-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-51-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-42-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-56-0x0000000001E90000-0x0000000001F06000-memory.dmp

Filesize
472KB

Download
memory/2912-44-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-47-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/2912-38-0x0000000000110000-0x00000000001A0000-memory.dmp

Filesize
576KB

Download
memory/3008-151-0x0000000000080000-0x0000000000110000-memory.dmp

Filesize
576KB

Download
memory/3060-74-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3060-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3060-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads