Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-12-2024 10:29
General
-
Target
bpaymentcopy.exe
-
Size
765KB
-
MD5
5205be9a501dae770c6e557b5fdaeebc
-
SHA1
a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
-
SHA256
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
-
SHA512
e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
-
SSDEEP
12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
Malware Config
Extracted
Protocol: smtp- Host:
mail.britishcrowncourt.net - Port:
587 - Username:
[email protected] - Password:
@Hustle007ky1
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"C:\Users\Admin\AppData\Local\Temp\bpaymentcopy.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD58f1f55a9e2fa4fc9931e78a47d81f0e1
SHA142d4baf7941041b6dcfb9888b32506abe4f63f51
SHA25663a16e0b3871144e34e91db7c8f44b4f70c47aa1d48e1ec956e0d5451c72b3f3
SHA5129a1426c3a77d93e9d068c27b3b8a5a8616eb91f0f457b6a2ab4652f24618f162c3d26b3b53af2cd827d11382f51b57444783b5040e0ad1db62f5ecf2df57de12
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
765KB
MD55205be9a501dae770c6e557b5fdaeebc
SHA1a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
SHA512e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
592KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
804KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
800KB
-
Filesize
80KB