Payment.exe

General
Target

Payment.exe

Filesize

632KB

Completed

26-05-2020 15:45

Score
10 /10
MD5

93754785d90a7266752db82c7ae5c409

SHA1

1e364df2ed6e173aea29267dcbe35b9ecd035c00

SHA256

18b880e3b13ed9f47ecbb88ffe91ad90f54e8f98fc2813d4d85ec11fe64f6811

Malware Config

Extracted

Family hawkeye_reborn
Version 10.1.2.5
Credentials

Protocol: smtp

Host: smtp.yandex.com

Port: 587

Username: cjmyguy@yandex.com

Password: @@Io419090@@

Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@@Io419090@@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:cjmyguy@yandex.com _EmptyClipboard:true _EmptyKeyStroke:true _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:9d7a8478-3f88-45bf-bc0e-c4ff1adc7062 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures 7

Filter: none

Persistence
  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • Suspicious use of WriteProcessMemory
    Payment.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 wrote to memory of 3041092Payment.exeschtasks.exe
    PID 1092 wrote to memory of 3041092Payment.exeschtasks.exe
    PID 1092 wrote to memory of 3041092Payment.exeschtasks.exe
    PID 1092 wrote to memory of 3041092Payment.exeschtasks.exe
    PID 1092 wrote to memory of 10401092Payment.exePayment.exe
    PID 1092 wrote to memory of 10401092Payment.exePayment.exe
    PID 1092 wrote to memory of 10401092Payment.exePayment.exe
    PID 1092 wrote to memory of 10401092Payment.exePayment.exe
    PID 1092 wrote to memory of 10441092Payment.exePayment.exe
    PID 1092 wrote to memory of 10441092Payment.exePayment.exe
    PID 1092 wrote to memory of 10441092Payment.exePayment.exe
    PID 1092 wrote to memory of 10441092Payment.exePayment.exe
    PID 1092 wrote to memory of 15281092Payment.exePayment.exe
    PID 1092 wrote to memory of 15281092Payment.exePayment.exe
    PID 1092 wrote to memory of 15281092Payment.exePayment.exe
    PID 1092 wrote to memory of 15281092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
    PID 1092 wrote to memory of 15241092Payment.exePayment.exe
  • Suspicious use of AdjustPrivilegeToken
    Payment.exePayment.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1092Payment.exe
    Token: SeDebugPrivilege1524Payment.exe
  • Suspicious behavior: EnumeratesProcesses
    Payment.exePayment.exe

    Reported IOCs

    pidprocess
    1092Payment.exe
    1092Payment.exe
    1092Payment.exe
    1524Payment.exe
    1524Payment.exe
  • Suspicious use of SetThreadContext
    Payment.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 set thread context of 15241092Payment.exePayment.exe
  • Suspicious use of SetWindowsHookEx
    Payment.exe

    Reported IOCs

    pidprocess
    1524Payment.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    304schtasks.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
    Suspicious use of WriteProcessMemory
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetThreadContext
    PID:1092
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OSosKfLALDaxiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE0FB.tmp"
      Creates scheduled task(s)
      PID:304
    • C:\Users\Admin\AppData\Local\Temp\Payment.exe
      "{path}"
      PID:1040
    • C:\Users\Admin\AppData\Local\Temp\Payment.exe
      "{path}"
      PID:1044
    • C:\Users\Admin\AppData\Local\Temp\Payment.exe
      "{path}"
      PID:1528
    • C:\Users\Admin\AppData\Local\Temp\Payment.exe
      "{path}"
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1524
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\tmpE0FB.tmp

                        • memory/1524-1-0x0000000000400000-0x000000000049C000-memory.dmp

                        • memory/1524-2-0x0000000000400000-0x000000000049C000-memory.dmp

                        • memory/1524-3-0x0000000000400000-0x000000000049C000-memory.dmp