Analysis Overview
SHA256
752efe9ad078a9be4a82b6f7c2123d58c90a1456287390b50df9e9c3292bc490
Threat Level: Known bad
The file DHL_AWB 65335643399___pdf.exe was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
NirSoft MailPassView
Nirsoft
NirSoft WebBrowserPassView
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-05 14:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-05 14:20
Reported
2021-11-05 14:22
Platform
win7-en-20211014
Max time kernel
151s
Max time network
120s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 372 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe |
| PID 1932 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1932 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9FC.tmp"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEABC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF059.tmp"
Network
Files
memory/372-55-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/372-57-0x00000000757A1000-0x00000000757A3000-memory.dmp
memory/372-58-0x00000000020F0000-0x00000000020F1000-memory.dmp
memory/372-59-0x00000000003A0000-0x00000000003A6000-memory.dmp
memory/372-60-0x0000000005660000-0x000000000570E000-memory.dmp
memory/828-61-0x0000000000000000-mapping.dmp
memory/1932-62-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-63-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-65-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-66-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-67-0x000000000048B2FE-mapping.dmp
memory/1932-68-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1932-70-0x0000000000910000-0x0000000000982000-memory.dmp
memory/1932-71-0x0000000004940000-0x0000000004941000-memory.dmp
memory/1828-72-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-73-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-74-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-75-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-76-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-77-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1828-78-0x000000000044472E-mapping.dmp
memory/1828-80-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEABC.tmp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/900-82-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-83-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-84-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-85-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-86-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-87-0x0000000000400000-0x000000000041C000-memory.dmp
memory/900-88-0x000000000041211A-mapping.dmp
memory/900-90-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-05 14:20
Reported
2021-11-05 14:22
Platform
win10-en-20211014
Max time kernel
127s
Max time network
130s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe |
| PID 3256 set thread context of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 3256 set thread context of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp782A.tmp"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB 65335643399___pdf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB12C.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 66.171.248.178:80 | bot.whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/2748-115-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2748-117-0x0000000005320000-0x0000000005321000-memory.dmp
memory/2748-118-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/2748-119-0x0000000004E20000-0x000000000531E000-memory.dmp
memory/2748-120-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/2748-121-0x00000000050C0000-0x00000000050C6000-memory.dmp
memory/2748-122-0x0000000007450000-0x0000000007451000-memory.dmp
memory/2748-123-0x0000000007760000-0x000000000780E000-memory.dmp
memory/1004-124-0x0000000000000000-mapping.dmp
memory/3256-126-0x000000000048B2FE-mapping.dmp
memory/3256-125-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 65335643399___pdf.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
memory/3256-130-0x0000000007C30000-0x0000000007CA2000-memory.dmp
memory/3256-133-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/3256-134-0x0000000005920000-0x0000000005921000-memory.dmp
memory/3608-135-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3608-136-0x000000000044472E-mapping.dmp
memory/3608-137-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp
| MD5 | 5607a09fc866e8b1c39d38c0c9203c19 |
| SHA1 | d8d31295162fe66ff99426de635a0fb9e7247fd2 |
| SHA256 | 2bb09a6f9850fd5353a5732b3909c92714d2b156fd30925ba8dee908a545fea9 |
| SHA512 | 66ae386094b396e0f50c6bacea88360b04339843f91e843082802727711ebd425551297fb320564a2285ab4199e18eff97a70d60a9f9903fed4111244a205565 |
memory/936-139-0x0000000000400000-0x000000000041C000-memory.dmp
memory/936-140-0x000000000041211A-mapping.dmp
memory/936-141-0x0000000000400000-0x000000000041C000-memory.dmp