Analysis
-
max time kernel
161s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
Resource
win10v2004-en-20220112
General
-
Target
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
-
Size
2.2MB
-
MD5
65d92895ecaec816edad069d799d6bbc
-
SHA1
a31f6ab392db84a748a7dd0b1edf5117f65296ec
-
SHA256
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade
-
SHA512
f649cd23d3183317cab12223777229be73b6fe128917339ac61867422664b6bba26e4aac9d6c8d3cfca5289e04e766af399e58082e49bf56726dd29a24e1a513
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
*iMTk].!][Yb2
16bf04f9-ae09-4c30-940a-83c545db9bca
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:*iMTk].!][Yb2 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:16bf04f9-ae09-4c30-940a-83c545db9bca _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2204-130-0x0000000000760000-0x00000000007F0000-memory.dmp m00nd3v_logger -
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
Processes:
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exedescription pid process target process PID 3688 set thread context of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegAsm.exepid process 2204 RegAsm.exe 2204 RegAsm.exe 2204 RegAsm.exe 2204 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2204 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exepid process 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exepid process 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2204 RegAsm.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exedescription pid process target process PID 3688 wrote to memory of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe PID 3688 wrote to memory of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe PID 3688 wrote to memory of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe PID 3688 wrote to memory of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe PID 3688 wrote to memory of 2204 3688 e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 3a04e55d6aa780c36e94e8a8ec7e2a0d yiOR4kwYa0WH7DsHuFQ1tQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:1792