Analysis

  • max time kernel
    137s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    26-05-2020 13:17

General

  • Target

    678900.pdf.exe

  • Size

    802KB

  • MD5

    109964ff67ad854a737b1cd1902a5424

  • SHA1

    afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

  • SHA256

    a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

  • SHA512

    501b5bb9825fd116882863688f72f4d1cc03e64d10c8d3706b5870f48415f6b87675e17a4548e3da2e8d820d529ba1ffc806ddd0926fd2ac67b2be46c0b5003a

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

  • Protocol:
    smtp
  • Host:
    mail.3enaluminyum.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    3eN13579?
Mutex

1278e7d4-dcd9-4a7a-8780-d6f5636aa3de

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    PID:1492
    • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp21B2.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp21B2.tmp

  • memory/1052-0-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

  • memory/1052-1-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

  • memory/1052-2-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

  • memory/1336-3-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/1336-4-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB