Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-05-2021 23:39
Static task
static1
Behavioral task
behavioral1
Sample
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
Resource
win10v20210410
General
-
Target
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
-
Size
1.8MB
-
MD5
c6468800747b30887c14b60ef6e35b00
-
SHA1
cc97aec282229304fea6584e390680b06764d1be
-
SHA256
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3
-
SHA512
f0011ba7c137b790a392b8f7f96083b9a37be3f209a624e5adeca881b74f7e94529a5ccd1372689885a1f5b24087404b5437ab59ad202c9ad9a6a94134786818
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m.4god@yandex.com - Password:
999999xxxsss011x1
Extracted
hawkeye_reborn
10.0.0.0
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m.4god@yandex.com - Password:
999999xxxsss011x1
7746d59a-cdb6-4fca-b062-03679472a6d5
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:999999xxxsss011x1 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:m.4god@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:1 _MeltFile:false _Mutex:7746d59a-cdb6-4fca-b062-03679472a6d5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:true _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1596-74-0x000000000C140000-0x000000000C1B2000-memory.dmp MailPassView behavioral1/memory/1812-83-0x000000000041211A-mapping.dmp MailPassView behavioral1/memory/1812-82-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/1812-85-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1596-74-0x000000000C140000-0x000000000C1B2000-memory.dmp WebBrowserPassView behavioral1/memory/1448-77-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral1/memory/1448-78-0x0000000000444D30-mapping.dmp WebBrowserPassView behavioral1/memory/1448-80-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1596-74-0x000000000C140000-0x000000000C1B2000-memory.dmp Nirsoft behavioral1/memory/1448-77-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/1448-78-0x0000000000444D30-mapping.dmp Nirsoft behavioral1/memory/1448-80-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral1/memory/1812-83-0x000000000041211A-mapping.dmp Nirsoft behavioral1/memory/1812-82-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/1812-85-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
scij.pifpid process 2036 scij.pif -
Loads dropped DLL 4 IoCs
Processes:
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exepid process 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scij.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run scij.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93588517\\scij.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\93588517\\ghlfreqf.ehp" scij.pif -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
scij.pifRegSvcs.exedescription pid process target process PID 2036 set thread context of 1596 2036 scij.pif RegSvcs.exe PID 1596 set thread context of 1448 1596 RegSvcs.exe vbc.exe PID 1596 set thread context of 1812 1596 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
scij.pifRegSvcs.exevbc.exepid process 2036 scij.pif 2036 scij.pif 2036 scij.pif 1596 RegSvcs.exe 1596 RegSvcs.exe 1596 RegSvcs.exe 1596 RegSvcs.exe 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 2036 scij.pif 1448 vbc.exe 2036 scij.pif 2036 scij.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1596 RegSvcs.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exescij.pifRegSvcs.exedescription pid process target process PID 1688 wrote to memory of 2036 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 1688 wrote to memory of 2036 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 1688 wrote to memory of 2036 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 1688 wrote to memory of 2036 1688 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 2036 wrote to memory of 1596 2036 scij.pif RegSvcs.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1448 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe PID 1596 wrote to memory of 1812 1596 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe"C:\Users\Admin\AppData\Local\Temp\32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\93588517\scij.pif"C:\Users\Admin\AppData\Local\Temp\93588517\scij.pif" ghlfreqf.ehp2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpACE.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp10B8.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\93588517\fikksefcdl.exeMD5
29fcab94b5152bb7d0d1b1191dfe8a2b
SHA16fab2738171c27e2f4560775ec7123efe47576eb
SHA2562df3e50555a1cd253f94e4d65e7b2d1ed03ec5af3b7f88c24680a29f05e556de
SHA512eee797ca1630c4a95757e0b058f2116b7a220b53de337a720f7abd5f55a6e006509d5c5c5d80c1515f12277cad88996681c3d7a57a1734a67bdb38ef199ba9fd
-
C:\Users\Admin\AppData\Local\Temp\93588517\ghlfreqf.ehpMD5
f21553b2bfc628652785c6b5d3da38b9
SHA17f4971ca10ad7eeb83d1b58a427e5c28ca650a76
SHA256a15029c4c6ea6f60520c26fac8203fa51c213b19d2d0443c7876db71ab4381e6
SHA512f9c7611d941d0eebc10eedac391071bfbecc3f054795ac5473b13d2328bb2119e95df45b8007e1bd2f70cc21cad24692b50fca88241886a4973a9866f5c273a4
-
C:\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\tmpACE.tmpMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/1448-77-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1448-80-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1448-78-0x0000000000444D30-mapping.dmp
-
memory/1596-70-0x0000000000B20000-0x00000000085D2000-memory.dmpFilesize
122.7MB
-
memory/1596-74-0x000000000C140000-0x000000000C1B2000-memory.dmpFilesize
456KB
-
memory/1596-75-0x000000000C0A0000-0x000000000C0A1000-memory.dmpFilesize
4KB
-
memory/1596-76-0x000000000C0A5000-0x000000000C0B6000-memory.dmpFilesize
68KB
-
memory/1596-72-0x0000000000B20000-0x00000000085D2000-memory.dmpFilesize
122.7MB
-
memory/1596-71-0x0000000000BAB2BE-mapping.dmp
-
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1812-83-0x000000000041211A-mapping.dmp
-
memory/1812-82-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1812-85-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2036-65-0x0000000000000000-mapping.dmp