hawkeye | acd94d6b3021ebdd56e395a37644d6765bd0012d4571714d6d418feeb626d000

General

Target

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
Size

686KB
MD5

ef30953cbaaa700a085e3cfe29aaff9e
SHA1

8d2b2aea2daa5f43426e0b300b57d86bf20cacb3
SHA256

acd94d6b3021ebdd56e395a37644d6765bd0012d4571714d6d418feeb626d000
SHA512

b21b1a654a7bfe8bc0f3b9995822ab9fc60dca431f231ecccb32ceb40bc478bed315301a2c58f78fab831351d1e4ca1ee2e88dd2d4bafa4eb140f2c6891dd2eb
SSDEEP

12288:ZOFxsG29O71cvz3XMR4tTw9l2177oEKE8wEKLq3R5oKzkU5xgKZkgMUe0WSa:USG2UJcvz3JtTw3E8/B5oESKs0WF

Score

10^/10

hawkeye collection credential_access discovery keylogger spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/4052-13-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/1452-42-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1452-44-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1452-45-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1452-46-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4424-49-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4424-51-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4424-52-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4424-59-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4052-13-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral2/memory/1452-42-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1452-44-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1452-45-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1452-46-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4052-13-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral2/memory/4424-49-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4424-51-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4424-52-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4424-59-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp8715.tmp	acprotect

Loads dropped DLL 1 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid process

4132 ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid	process
4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4132-34-0x00000000733A0000-0x00000000733CE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp8715.tmp	upx
behavioral2/memory/4132-37-0x00000000733A0000-0x00000000733CE000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 whatismyipaddress.com
20 whatismyipaddress.com

flow	ioc
18	whatismyipaddress.com
20	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exeef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

description	pid	process	target process
PID 4132 set thread context of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4052 set thread context of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 set thread context of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exevbc.exevbc.exedw20.exeef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6\Blob = 03000000010000001400000092c1588e85af2201ce7915e8538b492f605b80c61400000001000000140000005ac4b97b2a0aa3a5ea7103c060f92df665750e58040000000100000010000000b656376c3d2acebba18849d604361bd50f0000000100000020000000e767799478f64a34b3f53ff3bb9057fe1768f4ab178041b0dcc0ff1e210cba65190000000100000010000000021dfb9b16b1303a97b0bf78cda68e465c000000010000000400000000080000180000000100000010000000749966cecc95c1874194ca7203f9b6204b0000000100000044000000340032004200390041003400370033004200340044004100460030003100320038003500410033003600420034004400330043003700420031003600360032005f0000002000000001000000340500003082053030820418a00302010202100409181b5fd5bb66755343b56f955008300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3133313032323132303030305a170d3238313032323132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f8d3b31c7f0e11af677707d30b314919cfd0fb4599b13adb44f57fe5a89ddb32d771ea769d052eb78ffa9243c0a5f989d43719d7b6aaf09c86a5d825ac0e79283a7ee9d167d3c6fb2927c7d37b2394e4912396907782f9a18423661254335074b12826bb2469c2c252f214678a8945d42da1a3e9882c2095ae1c4a8708df0cf5e24d6018beaac4b2ae70316633713eac70a2abce7fe97ccb92a1e53b311ccfeaf20ae457bb4ab5e974e62bfe6ccb7e7439360d90efe4b54ea4a9ea6a0aab84f3ac674eb5c4f78cd1202523eb08643e5296c1f20f12f4c58e0fc1a2e82c51f773bcbd85b1628373418207e4388b6a7320d00f64733c9e9fa633a9fd19df2593d10203010001a38201cd308201c930120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c304f0603551d20044830463038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300a06086086480186fd6c03301d0603551d0e041604145ac4b97b2a0aa3a5ea7103c060f92df665750e58301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010b050003820101003eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exevbc.exeef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid process

4132 ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
4424 vbc.exe
4424 vbc.exe
4052 ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid	process
4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
4424	vbc.exe
4424	vbc.exe
4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exeef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
Token: SeDebugPrivilege	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
Token: SeRestorePrivilege	5016	dw20.exe
Token: SeBackupPrivilege	5016	dw20.exe
Token: SeBackupPrivilege	5016	dw20.exe
Token: SeBackupPrivilege	5016	dw20.exe
Token: SeBackupPrivilege	5016	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid process

4052 ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

pid	process
4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exeef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe

description	pid	process	target process
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 4052	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
PID 4132 wrote to memory of 2672	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	taskhostw.exe
PID 4132 wrote to memory of 2164	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	spoolsv.exe
PID 4132 wrote to memory of 2556	4132	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	sihost.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 1452	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 4424	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	vbc.exe
PID 4052 wrote to memory of 5016	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	dw20.exe
PID 4052 wrote to memory of 5016	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	dw20.exe
PID 4052 wrote to memory of 5016	4052	ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe	dw20.exe

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2556

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ef30953cbaaa700a085e3cfe29aaff9e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2420
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8715.tmp

Filesize
66KB

MD5
aaa698721f488b181bc0f0afc5da126a

SHA1
76536a73f16ffd643ea24f8725cebfff9d49852f

SHA256
e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647

SHA512
67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

Download Submit
memory/1452-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4052-48-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-25-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-22-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-47-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-24-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-41-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4052-13-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4052-66-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4132-34-0x00000000733A0000-0x00000000733CE000-memory.dmp

Filesize
184KB

Download
memory/4132-37-0x00000000733A0000-0x00000000733CE000-memory.dmp

Filesize
184KB

Download
memory/4132-38-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4132-0-0x0000000075352000-0x0000000075353000-memory.dmp

Filesize
4KB

Download
memory/4132-2-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4132-1-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4424-49-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-51-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-52-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-58-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads