Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:06
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v20201028
General
-
Target
Payment.exe
-
Size
632KB
-
MD5
93754785d90a7266752db82c7ae5c409
-
SHA1
1e364df2ed6e173aea29267dcbe35b9ecd035c00
-
SHA256
18b880e3b13ed9f47ecbb88ffe91ad90f54e8f98fc2813d4d85ec11fe64f6811
-
SHA512
5fbda59fd92866d1c66261af12c3b3d417857e2ad3472b31be8cc09dd224a38f7546e41d0ce92349e66812a24dd60b11cf2116d834baeea79aae4d23899c7ca0
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
cjmyguy@yandex.com - Password:
@@Io419090@@
9d7a8478-3f88-45bf-bc0e-c4ff1adc7062
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@@Io419090@@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:cjmyguy@yandex.com _EmptyClipboard:true _EmptyKeyStroke:true _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:9d7a8478-3f88-45bf-bc0e-c4ff1adc7062 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2872-2-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral2/memory/2872-3-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment.exedescription pid process target process PID 504 set thread context of 2872 504 Payment.exe Payment.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment.exePayment.exepid process 504 Payment.exe 504 Payment.exe 2872 Payment.exe 2872 Payment.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment.exePayment.exedescription pid process Token: SeDebugPrivilege 504 Payment.exe Token: SeDebugPrivilege 2872 Payment.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment.exepid process 2872 Payment.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment.exedescription pid process target process PID 504 wrote to memory of 3064 504 Payment.exe schtasks.exe PID 504 wrote to memory of 3064 504 Payment.exe schtasks.exe PID 504 wrote to memory of 3064 504 Payment.exe schtasks.exe PID 504 wrote to memory of 2864 504 Payment.exe Payment.exe PID 504 wrote to memory of 2864 504 Payment.exe Payment.exe PID 504 wrote to memory of 2864 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe PID 504 wrote to memory of 2872 504 Payment.exe Payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OSosKfLALDaxiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FD9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmp5FD9.tmpMD5
0e9a16dc1df54986f6d9d6793dfdb47d
SHA1257b280c362592a1b98be8a501db5bf11a3ecbeb
SHA2569a73af7c0d4c4f2256ca241157c27192c178f01ab07aa43d35f3622a4a640177
SHA512b7bdc3acc137c3877e38908d9127a5ff444ee38501e972f3e1d20c89b7045beadd246413ec8351ec785ae728f17757382563492a9c946ba2630ee374fc2fa680
-
memory/2872-2-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2872-3-0x0000000000497C3E-mapping.dmp
-
memory/3064-0-0x0000000000000000-mapping.dmp