Analysis Overview
SHA256
a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6de
Threat Level: Known bad
The file a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe was found to be: Known bad.
Malicious Activity Summary
Hawkeye family
HawkEye
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Checks computer location settings
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 15:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 15:52
Reported
2024-11-25 15:54
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
HawkEye
Hawkeye family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3340 set thread context of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe |
| PID 4740 set thread context of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 4740 set thread context of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe
"C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\2035571450.xml"
C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe
"C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.smtpcart.com | udp |
| US | 8.8.8.8:53 | mail.smtpcart.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3340-0-0x0000000074D12000-0x0000000074D13000-memory.dmp
memory/3340-1-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3340-2-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3340-3-0x0000000074D12000-0x0000000074D13000-memory.dmp
memory/3340-4-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3340-5-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3340-6-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/3340-7-0x0000000074D10000-0x00000000752C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2035571450.xml
| MD5 | bf30128fc0e93615f8205cd9b76aa8cd |
| SHA1 | f7851e3938c1b4daa96225d0babc692f5ebf1137 |
| SHA256 | 514fdb41be77e454b633e3a452a61c8a525c077bd29cdc1f6166a5aa0bb20f76 |
| SHA512 | a195dab8e3879d8a439928ad06d06125e190dee5157582be5abd95987a5efbc4fd77c4068b4e43c1ea1956b8a2fc7810da6570e1475429100fd1f48931dcabdb |
memory/4740-11-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4740-10-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4740-12-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe.log
| MD5 | cde6529abeea500fb852f29ba0da6115 |
| SHA1 | 45f2f48492417ae6a0eade8aaa808d3d1d760743 |
| SHA256 | d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5 |
| SHA512 | c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234 |
memory/3340-17-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/4740-16-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/4740-20-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/4740-21-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/4636-22-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4636-24-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4740-26-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/4636-28-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4740-29-0x0000000074D10000-0x00000000752C1000-memory.dmp
memory/1084-30-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1084-33-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1084-32-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
memory/1084-41-0x0000000000400000-0x0000000000458000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 15:52
Reported
2024-11-25 15:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
HawkEye
Hawkeye family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2248 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe |
| PID 2760 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2760 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe
"C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\104115120.xml"
C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe
"C:\Users\Admin\AppData\Local\Temp\a356bf936ed2a2ead436bbd75ffbff2d6dfe98525e42292afecf25afdc0da6deN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.smtpcart.com | udp |
Files
memory/2248-0-0x0000000074A51000-0x0000000074A52000-memory.dmp
memory/2248-1-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2248-2-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2248-3-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2248-4-0x0000000074A50000-0x0000000074FFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\104115120.xml
| MD5 | 1d53f536c7d66b21bd161794c99abdbf |
| SHA1 | 9b8f6219dc2775b838f767deb14c7453e9e93383 |
| SHA256 | 85d74a41ccecd6a20df5c7397939e4c183e65aa502133d8eac04c6801567cef8 |
| SHA512 | 73f26800a245f7f1521ccb02c913287c88fcf675c0a759eaf340f0653dc28688d330115e53e40b7d0d2dc3eb7a6628312f30dbcc9e34d478807cf4ad9f3b1e79 |
memory/2760-17-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2248-25-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2760-24-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-22-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-14-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-7-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-11-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-9-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2760-26-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2760-28-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2760-27-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2760-31-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1796-32-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1796-34-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1796-35-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1796-37-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2760-38-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/2744-39-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2744-40-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2744-47-0x0000000000400000-0x0000000000458000-memory.dmp