Analysis
-
max time kernel
21s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
zicccc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zicccc.exe
Resource
win10v20201028
General
-
Target
zicccc.exe
-
Size
676KB
-
MD5
ed0bde32aec725b166afb3510ebc730c
-
SHA1
6a530b42aa9948620c08e41f4ecc95e5f97844e0
-
SHA256
f2dc1174c060668495a3835ca8af6c2c49c8539163c6913dce2f34b5f7e987c1
-
SHA512
27132f088cab367ffdc1f665bae4fdfc420a2583602a7c0f569549d21a5bb4abee55a03af5c4809f29a275d73e77a1d0f7d3007f82029fcaee607e2d0d114fff
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
@Mexico3,.
156377e6-d566-42fd-9fad-3b7b01cb6f5b
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@Mexico3,. _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:156377e6-d566-42fd-9fad-3b7b01cb6f5b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/200-2-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral2/memory/200-3-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zicccc.exedescription pid process target process PID 2604 set thread context of 200 2604 zicccc.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zicccc.exepid process 2604 zicccc.exe 2604 zicccc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zicccc.exedescription pid process Token: SeDebugPrivilege 2604 zicccc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 200 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
zicccc.exedescription pid process target process PID 2604 wrote to memory of 3552 2604 zicccc.exe schtasks.exe PID 2604 wrote to memory of 3552 2604 zicccc.exe schtasks.exe PID 2604 wrote to memory of 3552 2604 zicccc.exe schtasks.exe PID 2604 wrote to memory of 196 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 196 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 196 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe PID 2604 wrote to memory of 200 2604 zicccc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zicccc.exe"C:\Users\Admin\AppData\Local\Temp\zicccc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFNkwuovkAO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51FE.tmp"2⤵
- Creates scheduled task(s)
PID:3552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵PID:196
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
PID:200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a132397472cf37c9496cc3dc9ff67b37
SHA1096bd6a4d1f1d81ce7dea12f2fc726f7a758070c
SHA256acbd925b163a9f21f2852329a2cb97c8ca6053c29461df7ec4ead8ac24513b56
SHA5124af5ce7587556bc23cb1c8b59cee735164ff8e2b41bbb29b2fba1041d8e8993fbb6adae89fa8ac2196aa2deb903fa114010ccba93a56b19b80d72b5db1ea8910