hawkeye | a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296

Analysis

max time kernel
136s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
Size

753KB
MD5

881e968ddf34c38943a56651a3870174
SHA1

e53ce4b02ba94d3dbc36c09b4e6ae6bfa8960bf6
SHA256

a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296
SHA512

3c2b2690fa49f75a7b987e6e6658f2a34a548c1b1497dc16748e64eefd2236ce5baa5621aef18753f8ddc087cf20200b64741169ed0c8058063f06f32526d1c3
SSDEEP

12288:Fbdwa5NYkVSsTMDFEgqeRjP73lxNQvFHHbb/lb/////////////////FPTPRt:NqazYZsTYFlFP71xNiHbhb/////////J

Score

10^/10

hawkeye collection discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Detected Nirsoft tools 12 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2988-45-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/2988-42-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/2988-38-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/2988-34-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/2988-31-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/2988-29-0x00000000001A0000-0x0000000000228000-memory.dmp	Nirsoft
behavioral1/memory/1344-51-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1344-50-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1344-53-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/600-55-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/600-54-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/600-61-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2988-45-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/2988-42-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/2988-38-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/2988-34-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/2988-31-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/2988-29-0x00000000001A0000-0x0000000000228000-memory.dmp	MailPassView
behavioral1/memory/1344-51-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1344-50-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1344-53-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 9 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2988-45-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/2988-42-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/2988-38-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/2988-34-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/2988-31-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/2988-29-0x00000000001A0000-0x0000000000228000-memory.dmp	WebBrowserPassView
behavioral1/memory/600-55-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/600-54-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/600-61-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	whatismyipaddress.com
11	whatismyipaddress.com
8	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exeRegAsm.exe

description	pid	Process	procid_target
PID 2056 set thread context of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2988 set thread context of 1344	2988	RegAsm.exe	35
PID 2988 set thread context of 600	2988	RegAsm.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exevbc.exevbc.exedw20.exea255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exeschtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exeRegAsm.exe

pid	Process
600	vbc.exe
2988	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	2988	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid	Process
2988	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exeRegAsm.exe

description	pid	Process	procid_target
PID 2056 wrote to memory of 2752	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	30
PID 2056 wrote to memory of 2752	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	30
PID 2056 wrote to memory of 2752	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	30
PID 2056 wrote to memory of 2752	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	30
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2056 wrote to memory of 2988	2056	a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe	32
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 1344	2988	RegAsm.exe	35
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 600	2988	RegAsm.exe	36
PID 2988 wrote to memory of 856	2988	RegAsm.exe	37
PID 2988 wrote to memory of 856	2988	RegAsm.exe	37
PID 2988 wrote to memory of 856	2988	RegAsm.exe	37
PID 2988 wrote to memory of 856	2988	RegAsm.exe	37

C:\Users\Admin\AppData\Local\Temp\a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe
"C:\Users\Admin\AppData\Local\Temp\a255f84c37ae5dfa20453a9dafdc540f8bde56059e630399ce4bc5c1502a5296.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\VDFFSHBXCTFGHDNMBGKZXDDXNVMNCCXBGBNXJNCJM" /XML "C:\Users\Admin\AppData\Local\Temp\z108"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1076
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA6AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\z108

Filesize
1KB

MD5
b796f261d167abc8d6e55e564f6043b8

SHA1
542ef95d4b7e1c1c712be8a89caffcad3b14e119

SHA256
ade6d02cf9977a8667e14b71af9c98b89e3f0d741275787c5f1bcf0b1b456a9d

SHA512
86bdc8e2b577150124b102e2e8071af5ff4bed28183b79c1a66f6204e9f0bee08fba0608730df002cbbdffa6c58a236b897239385062100e72f4e3b646e5fdc8

Download Submit
memory/600-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/600-61-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/600-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1344-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-20-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-0-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/2056-1-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-47-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-46-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-26-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-24-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-29-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-31-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-34-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-38-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-42-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/2988-45-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download