Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 04:35
General
-
Target
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe
-
Size
742KB
-
MD5
9e86c85f3d451e8a8716c39dbe28379a
-
SHA1
c23ac963949b1c91ae566be269971e72808376a7
-
SHA256
5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
-
SHA512
f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422
-
SSDEEP
12288:txGQ/w/DKicDR4RBAwFV340O5BZOKhNSRmDSuo8ukI/Px6VqlZz6oa5Nlt4pWG:PGQYLPRBAwFVo0O5BZOKhNZ9I4UlZmdO
Malware Config
Extracted
Protocol: smtp- Host:
webmail.mts.rs - Port:
587 - Username:
[email protected] - Password:
Tptadic
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"C:\Users\Admin\AppData\Local\Temp\5e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD57c4dbc15fc3117ea74878e6ccab9b311
SHA1bda818092dc60cb226dca2eb48cec3fb989f6799
SHA25619297f6f41f200a14e1da9ee08cfbd8c2f5431a9ec99ce861a92183e2415a3e8
SHA51260c674c61919e7491bb58192186ddef94844e63cdcc2455563a95f83e6d3426eee99739c43182221447d7fe295ee5ef0ed38c0c4fce92fe7d498b9fd114adb37
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
742KB
MD59e86c85f3d451e8a8716c39dbe28379a
SHA1c23ac963949b1c91ae566be269971e72808376a7
SHA2565e0fca97a0d1f7abf543f5f9028681148de67780c584dc59c4163fefcbcca07f
SHA512f8a4c42b41e3d4333120ad76701fff135f64805e558a4cf50fad17f86af1ed71ce4bbc34ab2128d72caa9029e76b30d29be29ba5a6873315538c3949b8cfa422
-
Filesize
352KB
-
Filesize
804KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
592KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
768KB