Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe
Resource
win10v20210410
General
-
Target
d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe
-
Size
1.6MB
-
MD5
bcf3d1b95d9abcbd4d6ab23642fcfc81
-
SHA1
5b475a9743edbf7614e766503fbffdebccb80c72
-
SHA256
d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699
-
SHA512
4e2c6322f8ca72b6a6139c9cd18127e68c0bfc8aa1434065049f2e7c3d6d368f430f141d9b07296a5693d86b75b73ebed57c3b595666f9fe52694a3561075abe
Malware Config
Extracted
hawkeye_reborn
10.0.0.0
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
onu66@yandex.com - Password:
h68-6gz-kaT-CKe
8dddd422-8c06-405f-bbe0-e01bafce5d54
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:h68-6gz-kaT-CKe _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:onu66@yandex.com _ExecutionDelay:5 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:3 _MeltFile:false _Mutex:8dddd422-8c06-405f-bbe0-e01bafce5d54 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2720-125-0x000000000E1F0000-0x000000000E262000-memory.dmp MailPassView behavioral2/memory/3964-135-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3964-136-0x000000000041211A-mapping.dmp MailPassView behavioral2/memory/3964-137-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2720-125-0x000000000E1F0000-0x000000000E262000-memory.dmp WebBrowserPassView behavioral2/memory/3732-131-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView behavioral2/memory/3732-132-0x0000000000444D30-mapping.dmp WebBrowserPassView behavioral2/memory/3732-133-0x0000000000400000-0x000000000045C000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2720-125-0x000000000E1F0000-0x000000000E262000-memory.dmp Nirsoft behavioral2/memory/3732-131-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral2/memory/3732-132-0x0000000000444D30-mapping.dmp Nirsoft behavioral2/memory/3732-133-0x0000000000400000-0x000000000045C000-memory.dmp Nirsoft behavioral2/memory/3964-135-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3964-136-0x000000000041211A-mapping.dmp Nirsoft behavioral2/memory/3964-137-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
vigcdruw.comRegSvcs.exepid process 1912 vigcdruw.com 2720 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vigcdruw.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vigcdruw.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44331869\\vigcdruw.com C:\\Users\\Admin\\AppData\\Local\\Temp\\44331869\\AUPOMP~1.OVT" vigcdruw.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vigcdruw.comRegSvcs.exedescription pid process target process PID 1912 set thread context of 2720 1912 vigcdruw.com RegSvcs.exe PID 2720 set thread context of 3732 2720 RegSvcs.exe vbc.exe PID 2720 set thread context of 3964 2720 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegSvcs.exevbc.exepid process 2720 RegSvcs.exe 2720 RegSvcs.exe 2720 RegSvcs.exe 2720 RegSvcs.exe 3732 vbc.exe 3732 vbc.exe 3732 vbc.exe 3732 vbc.exe 2720 RegSvcs.exe 2720 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2720 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2720 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exevigcdruw.comRegSvcs.exedescription pid process target process PID 3540 wrote to memory of 1912 3540 d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe vigcdruw.com PID 3540 wrote to memory of 1912 3540 d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe vigcdruw.com PID 3540 wrote to memory of 1912 3540 d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe vigcdruw.com PID 1912 wrote to memory of 2720 1912 vigcdruw.com RegSvcs.exe PID 1912 wrote to memory of 2720 1912 vigcdruw.com RegSvcs.exe PID 1912 wrote to memory of 2720 1912 vigcdruw.com RegSvcs.exe PID 1912 wrote to memory of 2720 1912 vigcdruw.com RegSvcs.exe PID 1912 wrote to memory of 2720 1912 vigcdruw.com RegSvcs.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3732 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe PID 2720 wrote to memory of 3964 2720 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe"C:\Users\Admin\AppData\Local\Temp\d76bf6c54a5ba01ef7edcaeb3811500f9896f49726eabdad461375af0dbf1699.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44331869\vigcdruw.com"C:\Users\Admin\AppData\Local\Temp\44331869\vigcdruw.com" aupompqau.ovt2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCA5A.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD8E2.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\44331869\aupompqau.ovtMD5
9004e464f39c7c5d3643aa1709cc34e0
SHA12887cce3a6a0649136726e2398e87fc4dfccbfaa
SHA256a2f00860b3704829e308f35300163123a7ae9ed2f1e06b914ff884c4ec06dd6f
SHA512928d7bebe62a05167c59c727982ded93f0baf30a97d6aec46072098729842854743ad17a369b4f15a67319c5753fd6f98379cc729d66dc58a664e1baeeba2152
-
C:\Users\Admin\AppData\Local\Temp\44331869\dtnpkt.iniMD5
10fc838134b8d62bdb9518aead71d3ea
SHA1106b9de0c35789ed1e2bb775fcf19e1430793a2e
SHA256cf6415aff0437524dbf05f9cc2fd7d6be90a5a011d122932cac0ffc7f0dc08ba
SHA5124e376add492dfb2eef7ca90602aa15f9391bf3415624e375044e8d4a2565d6be6961ad7af97d4e939533f91557449f684204efb1e83936742278cf0dd0c17809
-
C:\Users\Admin\AppData\Local\Temp\44331869\vigcdruw.comMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\44331869\vigcdruw.comMD5
71d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\tmpCA5A.tmpMD5
93d9547e2f6b166ddc13b0f852378d78
SHA19c252ab52886c3e59e832b316bade26fe3473c74
SHA2560e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d
SHA51281711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298
-
memory/1912-114-0x0000000000000000-mapping.dmp
-
memory/2720-126-0x0000000010970000-0x0000000010971000-memory.dmpFilesize
4KB
-
memory/2720-119-0x0000000000600000-0x0000000007796000-memory.dmpFilesize
113.6MB
-
memory/2720-120-0x000000000068B2BE-mapping.dmp
-
memory/2720-127-0x000000000BC70000-0x000000000BC71000-memory.dmpFilesize
4KB
-
memory/2720-128-0x0000000010550000-0x0000000010551000-memory.dmpFilesize
4KB
-
memory/2720-129-0x000000000BEE0000-0x000000000BEE1000-memory.dmpFilesize
4KB
-
memory/2720-130-0x000000000C740000-0x000000000C741000-memory.dmpFilesize
4KB
-
memory/2720-138-0x000000000BD80000-0x000000000BD81000-memory.dmpFilesize
4KB
-
memory/2720-125-0x000000000E1F0000-0x000000000E262000-memory.dmpFilesize
456KB
-
memory/3732-133-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3732-132-0x0000000000444D30-mapping.dmp
-
memory/3732-131-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3964-135-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3964-136-0x000000000041211A-mapping.dmp
-
memory/3964-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB