Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1Analysis
-
max time kernel
342s -
max time network
385s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:28
Static task
static1
Behavioral task
behavioral1
Sample
bootstrap.min.js
Resource
win10v20201028
Behavioral task
behavioral2
Sample
cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
ch/index.html
Resource
win10v20201028
Behavioral task
behavioral4
Sample
ch/jquery-1.js
Resource
win10v20201028
Behavioral task
behavioral5
Sample
ch/retreaver.js
Resource
win10v20201028
Behavioral task
behavioral6
Sample
chrome-assests/a.html
Resource
win10v20201028
Behavioral task
behavioral7
Sample
chrome-assests/ie10-viewport-bug-workaround.html
Resource
win10v20201028
Behavioral task
behavioral8
Sample
chrome-assests/iframe.js
Resource
win10v20201028
Behavioral task
behavioral9
Sample
chrome-assests/img-1.svg.xml
Resource
win10v20201028
Behavioral task
behavioral10
Sample
chrome-assests/img-11.svg.xml
Resource
win10v20201028
Behavioral task
behavioral11
Sample
chrome-assests/img-12.svg.xml
Resource
win10v20201028
Behavioral task
behavioral12
Sample
chrome-assests/img-2.svg.xml
Resource
win10v20201028
Behavioral task
behavioral13
Sample
chrome-assests/img-3.svg.xml
Resource
win10v20201028
Behavioral task
behavioral14
Sample
chrome-assests/img-4.svg.xml
Resource
win10v20201028
Behavioral task
behavioral15
Sample
hyundai steel-pipe- job 8010(1).exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
hyundai steel-pipe- job 8010.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
ie.svg.xml
Resource
win10v20201028
Behavioral task
behavioral18
Sample
index(1).html
Resource
win10v20201028
Behavioral task
behavioral19
Sample
index(10).html
Resource
win10v20201028
Behavioral task
behavioral20
Sample
index(11).html
Resource
win10v20201028
Behavioral task
behavioral21
Sample
index(2).html
Resource
win10v20201028
Behavioral task
behavioral22
Sample
index(3).html
Resource
win10v20201028
Behavioral task
behavioral23
Sample
index(4).html
Resource
win10v20201028
Behavioral task
behavioral24
Sample
index(5).html
Resource
win10v20201028
Behavioral task
behavioral25
Sample
index(6).html
Resource
win10v20201028
Behavioral task
behavioral26
Sample
index(7).html
Resource
win10v20201028
Behavioral task
behavioral27
Sample
index(8).html
Resource
win10v20201028
Behavioral task
behavioral28
Sample
index(9).html
Resource
win10v20201028
Behavioral task
behavioral29
Sample
index.html
Resource
win10v20201028
Behavioral task
behavioral30
Sample
index2.html
Resource
win10v20201028
Behavioral task
behavioral31
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
inps_979.xls
Resource
win10v20201028
General
-
Target
hyundai steel-pipe- job 8010.exe
-
Size
721KB
-
MD5
0999a03694a1c97a43ac0de89cbf355e
-
SHA1
0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
-
SHA256
8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
-
SHA512
6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mor440ney@yandex.com - Password:
castor123@
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mor440ney@yandex.com - Password:
castor123@
245f77ec-c812-48df-870b-886d22992db6
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral16/memory/2656-0-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral16/memory/2656-1-0x000000000048A1DE-mapping.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hyundai steel-pipe- job 8010.exedescription pid process target process PID 3996 set thread context of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hyundai steel-pipe- job 8010.exepid process 2656 hyundai steel-pipe- job 8010.exe 2656 hyundai steel-pipe- job 8010.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hyundai steel-pipe- job 8010.exedescription pid process Token: SeDebugPrivilege 2656 hyundai steel-pipe- job 8010.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hyundai steel-pipe- job 8010.exepid process 2656 hyundai steel-pipe- job 8010.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
hyundai steel-pipe- job 8010.exedescription pid process target process PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe PID 3996 wrote to memory of 2656 3996 hyundai steel-pipe- job 8010.exe hyundai steel-pipe- job 8010.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010.exe.logMD5
e5ada129ae553b760891d0d6ba3dbc88
SHA1cc80f0f1a950eaf22f51d25eab57f0fc15636744
SHA256665987eb14260f3f169d78022638a2efd7ba4f2a4749a84f90801d8ec259842c
SHA512f36864fbb7d9b074fa9cd25ca16bbd137f0b78735bdb24062924e2675b1b1e89a98b0f5f7fa2aee4f3e72932464af4a2933b767b947b39a4ef9e2e1e66824a11
-
memory/2656-0-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2656-1-0x000000000048A1DE-mapping.dmp