Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
zicccc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zicccc.exe
Resource
win10v20201028
General
-
Target
zicccc.exe
-
Size
676KB
-
MD5
ed0bde32aec725b166afb3510ebc730c
-
SHA1
6a530b42aa9948620c08e41f4ecc95e5f97844e0
-
SHA256
f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1
-
SHA512
27132f088cab367ffdc1f665bae4fdfc420a2583602a7c0f569549d21a5bb4abee55a03af5c4809f29a275d73e77a1d0f7d3007f82029fcaee607e2d0d114fff
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
@Mexico3,.
156377e6-d566-42fd-9fad-3b7b01cb6f5b
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@Mexico3,. _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:156377e6-d566-42fd-9fad-3b7b01cb6f5b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1752-2-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1752-5-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1752-4-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1752-3-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zicccc.exedescription pid process target process PID 1916 set thread context of 1752 1916 zicccc.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1752 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
zicccc.exedescription pid process target process PID 1916 wrote to memory of 316 1916 zicccc.exe schtasks.exe PID 1916 wrote to memory of 316 1916 zicccc.exe schtasks.exe PID 1916 wrote to memory of 316 1916 zicccc.exe schtasks.exe PID 1916 wrote to memory of 316 1916 zicccc.exe schtasks.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe PID 1916 wrote to memory of 1752 1916 zicccc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zicccc.exe"C:\Users\Admin\AppData\Local\Temp\zicccc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFNkwuovkAO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBD0.tmp"2⤵
- Creates scheduled task(s)
PID:316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
PID:1752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
43b585327f7ce0975b95da60c4981dba
SHA1f5bf79e9061e0daf3001fcce87a2c5ff6853ec4c
SHA2564e840ff9482ba02f96f397f2f257d9a2de6acab18051d4fa3d9eb4daea4e6c15
SHA51260ae54785e72b8c7e5e6ae0c7dd463b6fe8f8296d871abf5e7341f8d09608bb262da3592167ec5ac7db9209c017c1e14ad0b7c4faa09b4258b96314c5b608b8b