Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
02-12-2024 10:29
General
-
Target
bpaymentcopy.exe
-
Size
765KB
-
MD5
5205be9a501dae770c6e557b5fdaeebc
-
SHA1
a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
-
SHA256
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
-
SHA512
e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
-
SSDEEP
12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
Malware Config
Extracted
Protocol: smtp- Host:
mail.britishcrowncourt.net - Port:
587 - Username:
[email protected] - Password:
@Hustle007ky1
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Detected Nirsoft tools 12 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD58f1f55a9e2fa4fc9931e78a47d81f0e1
SHA142d4baf7941041b6dcfb9888b32506abe4f63f51
SHA25663a16e0b3871144e34e91db7c8f44b4f70c47aa1d48e1ec956e0d5451c72b3f3
SHA5129a1426c3a77d93e9d068c27b3b8a5a8616eb91f0f457b6a2ab4652f24618f162c3d26b3b53af2cd827d11382f51b57444783b5040e0ad1db62f5ecf2df57de12
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
765KB
MD55205be9a501dae770c6e557b5fdaeebc
SHA1a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
SHA512e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
800KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
800KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB