Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:39
Static task
static1
Behavioral task
behavioral1
Sample
gcwcIK24cmMMrKp.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
gcwcIK24cmMMrKp.exe
Resource
win10v20201028
General
-
Target
gcwcIK24cmMMrKp.exe
-
Size
657KB
-
MD5
5c4125a0b7d787aac1a6d9b2aa8518cd
-
SHA1
f92095669a1e2a79001ffb3421adb15f66ded900
-
SHA256
4c4f52f4aa156ce2e1cc255402ef7d05f86b84e415d89368a506e7135e127f96
-
SHA512
73cdd743356466dacdb839b69f4bf76daeb07d64fb6b008d185a7e32fac95161b454dd55f6e7b243d867e28ba971294e10d6ad65d11bdc4f9ff0f437d276488a
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
mail.3enaluminyum.com.tr - Port:
587 - Username:
[email protected] - Password:
3En13579?
d463e1c9-617b-4c78-b4cf-1a59587f6bdf
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3En13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:d463e1c9-617b-4c78-b4cf-1a59587f6bdf _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2252-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral2/memory/2252-3-0x000000000048A1DE-mapping.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gcwcIK24cmMMrKp.exedescription pid process target process PID 1056 set thread context of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
gcwcIK24cmMMrKp.exegcwcIK24cmMMrKp.exepid process 1056 gcwcIK24cmMMrKp.exe 1056 gcwcIK24cmMMrKp.exe 1056 gcwcIK24cmMMrKp.exe 1056 gcwcIK24cmMMrKp.exe 1056 gcwcIK24cmMMrKp.exe 1056 gcwcIK24cmMMrKp.exe 2252 gcwcIK24cmMMrKp.exe 2252 gcwcIK24cmMMrKp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gcwcIK24cmMMrKp.exegcwcIK24cmMMrKp.exedescription pid process Token: SeDebugPrivilege 1056 gcwcIK24cmMMrKp.exe Token: SeDebugPrivilege 2252 gcwcIK24cmMMrKp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gcwcIK24cmMMrKp.exepid process 2252 gcwcIK24cmMMrKp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
gcwcIK24cmMMrKp.exedescription pid process target process PID 1056 wrote to memory of 496 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 496 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 496 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe PID 1056 wrote to memory of 2252 1056 gcwcIK24cmMMrKp.exe gcwcIK24cmMMrKp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gcwcIK24cmMMrKp.exe"C:\Users\Admin\AppData\Local\Temp\gcwcIK24cmMMrKp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\gcwcIK24cmMMrKp.exe"{path}"2⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\gcwcIK24cmMMrKp.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ce1b56364fa233e3c3b24c1094c08ef
SHA16bd332829aebe567d7b2cb1fd9a82dfe1791052f
SHA256dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e
SHA5125abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9