Overview

overview

10

Static

static

1

4972451c57...cN.exe

windows7-x64

10

4972451c57...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfcN.exe

  • Size

    1.1MB

  • MD5

    a4b7826e6589c71a90858b2f14a02480

  • SHA1

    495270d636c1b04cda524580ea6ef3298f442c25

  • SHA256

    4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfc

  • SHA512

    348725f111cee510af12736a96dcdc1d85383504a89914ebe175892fffabd117e34d9f39f4afe9bfcc38263fc0dc0839742c8243abed38c69ef73b50afd00b52

  • SSDEEP

    24576:hhntGx9yVf41ob4s6ABttGZOATIZXTnR13//lW:PtGZ1oEEbG8xXjlW

Score
10/10
hawkeyecollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Diego1986

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 9 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 6 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfcN.exe
    "C:\Users\Admin\AppData\Local\Temp\4972451c5773b795d9499e8153c44ce32cc98958083a4ee7b88f4ac2fd0aedfcN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\Music\magert.exe
      "C:\Users\Admin\Music\magert.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Users\Admin\Music\magert.exe
        "C:\Users\Admin\Music\magert.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2492
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\magert.exe.log
    Filesize

    526B

    MD5

    0b25f9f358a722369479cecdb0bfdfd4

    SHA1

    0e5e586dc2387f8492dc7bb8b9ba17cce90ba6fb

    SHA256

    97e51099c3c8b24d92ae0f8c0241b3477e52127f0da5f89175c56abc202196c7

    SHA512

    5f91fcd8822aa8e74566dc4b89af55e9f539aab19dc11cb450c13baa846e494b9f27954cce8626c867177b43e76be03a631c58e29be41b7bdad61576f5b8378b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit

  • C:\Users\Admin\Music\magert.exe
    Filesize

    1.1MB

    MD5

    ffb8448bb6b23408794788a3bacb45bb

    SHA1

    79894fb6e5234e2c5c50b443756ebf6188f7f168

    SHA256

    1647837c4c4a9becf58f5975056d30698a96d0b404702eb28caf3b4aa3e24a5d

    SHA512

    9e275030403c92913a30b481cd2a255c605f1a6331b0789058202d0cb56370d24b2dd90a7528618cb055095f78dd99a8af5b7e8526d346d7cf4714330d29204b

    Download Submit

  • memory/2376-1-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-2-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-5-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-6-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-7-0x0000000074F52000-0x0000000074F53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2376-8-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-30-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2376-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-49-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2492-50-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2492-51-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

    Download

  • memory/2492-52-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2608-38-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2608-53-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2608-37-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2608-45-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2608-39-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2608-46-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-32-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-44-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-33-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-35-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-34-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-31-0x0000000074F50000-0x0000000075501000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4316-54-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4316-55-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4316-62-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download