Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-05-2021 23:39
Static task
static1
Behavioral task
behavioral1
Sample
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
Resource
win10v20210410
General
-
Target
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe
-
Size
1.8MB
-
MD5
c6468800747b30887c14b60ef6e35b00
-
SHA1
cc97aec282229304fea6584e390680b06764d1be
-
SHA256
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3
-
SHA512
f0011ba7c137b790a392b8f7f96083b9a37be3f209a624e5adeca881b74f7e94529a5ccd1372689885a1f5b24087404b5437ab59ad202c9ad9a6a94134786818
Malware Config
Extracted
hawkeye_reborn
10.0.0.0
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m.4god@yandex.com - Password:
999999xxxsss011x1
7746d59a-cdb6-4fca-b062-03679472a6d5
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:999999xxxsss011x1 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:m.4god@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:1 _MeltFile:false _Mutex:7746d59a-cdb6-4fca-b062-03679472a6d5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:true _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3396-123-0x00000000108B0000-0x0000000010922000-memory.dmp MailPassView behavioral2/memory/3224-133-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3224-134-0x000000000041211A-mapping.dmp MailPassView behavioral2/memory/3224-135-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3396-123-0x00000000108B0000-0x0000000010922000-memory.dmp WebBrowserPassView behavioral2/memory/1312-129-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral2/memory/1312-130-0x0000000000444D30-mapping.dmp WebBrowserPassView behavioral2/memory/1312-131-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3396-123-0x00000000108B0000-0x0000000010922000-memory.dmp Nirsoft behavioral2/memory/1312-129-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral2/memory/1312-130-0x0000000000444D30-mapping.dmp Nirsoft behavioral2/memory/1312-131-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral2/memory/3224-133-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3224-134-0x000000000041211A-mapping.dmp Nirsoft behavioral2/memory/3224-135-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
scij.pifpid process 2172 scij.pif -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scij.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run scij.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93588517\\scij.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\93588517\\ghlfreqf.ehp" scij.pif -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
scij.pifRegSvcs.exedescription pid process target process PID 2172 set thread context of 3396 2172 scij.pif RegSvcs.exe PID 3396 set thread context of 1312 3396 RegSvcs.exe vbc.exe PID 3396 set thread context of 3224 3396 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
scij.pifRegSvcs.exepid process 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 3396 RegSvcs.exe 2172 scij.pif 3396 RegSvcs.exe 3396 RegSvcs.exe 3396 RegSvcs.exe 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif 2172 scij.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3396 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3396 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exescij.pifRegSvcs.exedescription pid process target process PID 1016 wrote to memory of 2172 1016 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 1016 wrote to memory of 2172 1016 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 1016 wrote to memory of 2172 1016 32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe scij.pif PID 2172 wrote to memory of 3396 2172 scij.pif RegSvcs.exe PID 2172 wrote to memory of 3396 2172 scij.pif RegSvcs.exe PID 2172 wrote to memory of 3396 2172 scij.pif RegSvcs.exe PID 2172 wrote to memory of 3396 2172 scij.pif RegSvcs.exe PID 2172 wrote to memory of 3396 2172 scij.pif RegSvcs.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 1312 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe PID 3396 wrote to memory of 3224 3396 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe"C:\Users\Admin\AppData\Local\Temp\32593ef599aa1bdbaa2f535d7c39d9ccff81fdcd11623b645c3788bd29e4bce3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\93588517\scij.pif"C:\Users\Admin\AppData\Local\Temp\93588517\scij.pif" ghlfreqf.ehp2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC5E6.tmp"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD6B0.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\93588517\fikksefcdl.exeMD5
29fcab94b5152bb7d0d1b1191dfe8a2b
SHA16fab2738171c27e2f4560775ec7123efe47576eb
SHA2562df3e50555a1cd253f94e4d65e7b2d1ed03ec5af3b7f88c24680a29f05e556de
SHA512eee797ca1630c4a95757e0b058f2116b7a220b53de337a720f7abd5f55a6e006509d5c5c5d80c1515f12277cad88996681c3d7a57a1734a67bdb38ef199ba9fd
-
C:\Users\Admin\AppData\Local\Temp\93588517\ghlfreqf.ehpMD5
f21553b2bfc628652785c6b5d3da38b9
SHA17f4971ca10ad7eeb83d1b58a427e5c28ca650a76
SHA256a15029c4c6ea6f60520c26fac8203fa51c213b19d2d0443c7876db71ab4381e6
SHA512f9c7611d941d0eebc10eedac391071bfbecc3f054795ac5473b13d2328bb2119e95df45b8007e1bd2f70cc21cad24692b50fca88241886a4973a9866f5c273a4
-
C:\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\93588517\scij.pifMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\tmpC5E6.tmpMD5
93d9547e2f6b166ddc13b0f852378d78
SHA19c252ab52886c3e59e832b316bade26fe3473c74
SHA2560e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d
SHA51281711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298
-
memory/1312-129-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1312-131-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1312-130-0x0000000000444D30-mapping.dmp
-
memory/2172-114-0x0000000000000000-mapping.dmp
-
memory/3224-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3224-134-0x000000000041211A-mapping.dmp
-
memory/3224-133-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3396-119-0x0000000000700000-0x000000000C30A000-memory.dmpFilesize
188.0MB
-
memory/3396-128-0x00000000113E0000-0x00000000113E1000-memory.dmpFilesize
4KB
-
memory/3396-127-0x0000000010AB0000-0x0000000010AB1000-memory.dmpFilesize
4KB
-
memory/3396-126-0x00000000108A0000-0x00000000108A1000-memory.dmpFilesize
4KB
-
memory/3396-125-0x0000000015060000-0x0000000015061000-memory.dmpFilesize
4KB
-
memory/3396-124-0x00000000153C0000-0x00000000153C1000-memory.dmpFilesize
4KB
-
memory/3396-123-0x00000000108B0000-0x0000000010922000-memory.dmpFilesize
456KB
-
memory/3396-120-0x000000000078B2BE-mapping.dmp
-
memory/3396-136-0x0000000010950000-0x0000000010951000-memory.dmpFilesize
4KB