Analysis Overview
SHA256
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade
Threat Level: Known bad
The file e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade was found to be: Known bad.
Malicious Activity Summary
M00nd3v_Logger
HawkEye Reborn
M00nD3v Logger Payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Sets service image path in registry
Drops startup file
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
autoit_exe
Suspicious use of SetThreadContext
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-01 03:03
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-01 03:03
Reported
2022-02-01 03:06
Platform
win7-en-20211208
Max time kernel
155s
Max time network
122s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url | C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1124 set thread context of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 1448 set thread context of 396 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1448 set thread context of 280 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
"C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C88.tmp"
Network
Files
memory/1124-54-0x0000000075D11000-0x0000000075D13000-memory.dmp
memory/1124-55-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1448-56-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1448-57-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1448-65-0x0000000000400000-0x0000000000A30000-memory.dmp
memory/396-66-0x0000000000400000-0x000000000045B000-memory.dmp
memory/396-67-0x0000000000400000-0x000000000045B000-memory.dmp
memory/396-68-0x0000000000400000-0x000000000045B000-memory.dmp
memory/396-69-0x0000000000400000-0x000000000045B000-memory.dmp
memory/396-70-0x0000000000400000-0x000000000045B000-memory.dmp
memory/396-71-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1448-73-0x0000000000400000-0x0000000000A30000-memory.dmp
memory/396-74-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/280-76-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-77-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-78-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-79-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-80-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-81-0x0000000000400000-0x000000000041C000-memory.dmp
memory/280-83-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-01 03:03
Reported
2022-02-01 03:07
Platform
win10v2004-en-20220112
Max time kernel
161s
Max time network
152s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets service image path in registry
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url | C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3688 set thread context of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
"C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3a04e55d6aa780c36e94e8a8ec7e2a0d yiOR4kwYa0WH7DsHuFQ1tQ.0.1.0.0.0
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 8.248.7.254:80 | tcp | |
| NL | 8.248.7.254:80 | tcp |
Files
memory/2204-130-0x0000000000760000-0x00000000007F0000-memory.dmp
memory/2204-138-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/2204-139-0x00000000098B0000-0x0000000009E54000-memory.dmp
memory/2204-140-0x00000000094A0000-0x000000000953C000-memory.dmp
memory/2204-141-0x0000000004E80000-0x0000000004EE6000-memory.dmp
memory/2204-142-0x00000000056D0000-0x0000000005762000-memory.dmp
memory/2204-143-0x0000000005C10000-0x0000000005C1A000-memory.dmp