Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
01-05-2020 12:06
Static task
static1
Behavioral task
behavioral1
Sample
malware.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
malware.exe
Resource
win10v200430
General
-
Target
malware.exe
-
Size
743KB
-
MD5
d0b3518e06e76afbf847b77eb0394aee
-
SHA1
56d0931f5ca3dfb0f3848a512297adbf7d758a87
-
SHA256
a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24
-
SHA512
0654014c576f29947c6773be6b0c359a1487d6ad7a9eab0cea3cc9df49d1fda1715d143d937347839aec815220783206af175ee1385c9838046798241f1c8bfd
Malware Config
Extracted
hawkeye_reborn
10.0.0.0
Protocol: smtp- Host:
mail.novaa-ship.com - Port:
587 - Username:
[email protected] - Password:
Azz%LcQK%sb!
d21bafc9-f1e1-4be7-9df9-d1d467ddd0d0
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Azz%LcQK%sb! _EmailPort:587 _EmailSSL:true _EmailServer:mail.novaa-ship.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:20 _MeltFile:false _Mutex:d21bafc9-f1e1-4be7-9df9-d1d467ddd0d0 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
malware.exeUopcep.exeregasm.exedescription pid process target process PID 1400 wrote to memory of 820 1400 malware.exe Uopcep.exe PID 1400 wrote to memory of 820 1400 malware.exe Uopcep.exe PID 1400 wrote to memory of 820 1400 malware.exe Uopcep.exe PID 1400 wrote to memory of 820 1400 malware.exe Uopcep.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1956 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 820 wrote to memory of 1936 820 Uopcep.exe regasm.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1420 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe PID 1936 wrote to memory of 1600 1936 regasm.exe vbc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Uopcep.exeregasm.exedescription pid process target process PID 820 set thread context of 1956 820 Uopcep.exe regasm.exe PID 820 set thread context of 1936 820 Uopcep.exe regasm.exe PID 1936 set thread context of 1420 1936 regasm.exe vbc.exe PID 1936 set thread context of 1600 1936 regasm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Uopcep.exeregasm.exevbc.exepid process 820 Uopcep.exe 820 Uopcep.exe 820 Uopcep.exe 820 Uopcep.exe 1956 regasm.exe 1956 regasm.exe 1420 vbc.exe 1420 vbc.exe -
Processes:
Uopcep.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Uopcep.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Uopcep.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Uopcep.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Uopcep.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kherg = "C:\\Users\\Admin\\AppData\\Roaming\\Awwovi\\kherg.url" Uopcep.exe -
Executes dropped EXE 1 IoCs
Processes:
Uopcep.exepid process 820 Uopcep.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 bot.whatismyipaddress.com -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
malware.exeUopcep.exepid process 1400 malware.exe 1400 malware.exe 820 Uopcep.exe 820 Uopcep.exe -
Loads dropped DLL 1 IoCs
Processes:
malware.exepid process 1400 malware.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Uopcep.exeregasm.exeregasm.exedescription pid process Token: SeDebugPrivilege 820 Uopcep.exe Token: SeDebugPrivilege 1956 regasm.exe Token: SeDebugPrivilege 1936 regasm.exe -
js 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1400-5-0x000000007414F02E-0x000000007456DFC6-disk.dmp js -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware.exe"C:\Users\Admin\AppData\Local\Temp\malware.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
PID:1400 -
C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe"C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Adds Run entry to start application
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C89.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp"4⤵PID:1600