General

  • Target

    Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE

  • Size

    1.8MB

  • Sample

    200624-wsxnarpr56

  • MD5

    1e80be82f8e930a7160c225ea1fb529e

  • SHA1

    7c50b9f3550d1d4c6abdb668cec1d7461a4c13d6

  • SHA256

    68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

  • SHA512

    964181a2b3d3db5522a99dfa4c77c87d7c921981e55ecd2cd9fa8f10dd170082637cb6d130a7fee8182a3e6b967e98d34d072d7955233a17b281cd598080bf93

Malware Config

Targets

    • Target

      Purchase Order_23011008_PDF ________________________ iGSTEEEE1124EEEEEEXEEEE.EXE

    • Size

      1.8MB

    • MD5

      1e80be82f8e930a7160c225ea1fb529e

    • SHA1

      7c50b9f3550d1d4c6abdb668cec1d7461a4c13d6

    • SHA256

      68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

    • SHA512

      964181a2b3d3db5522a99dfa4c77c87d7c921981e55ecd2cd9fa8f10dd170082637cb6d130a7fee8182a3e6b967e98d34d072d7955233a17b281cd598080bf93

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run entry to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies system certificate store

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks