Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 05:02
Static task
static1
Behavioral task
behavioral1
Sample
xSL4FcGiFNAXgLg.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
xSL4FcGiFNAXgLg.exe
Resource
win10v2004-en-20220112
General
-
Target
xSL4FcGiFNAXgLg.exe
-
Size
987KB
-
MD5
13448c9fe9b5e6b6a6d3994bba8f9555
-
SHA1
962eb66a7322172d457bfd81be7502cec6d7b5f9
-
SHA256
d9f2a175430adc77bc769e257717d0c3afdef060686fd7da3b7f3871f1e9a9d2
-
SHA512
1cbf63a85385baef34dab3fc18c080a18c3a89de3c18177e1c3e7372f1acdba3c25635855355b2de937bc667ec47f6749693f9130fb15e80b9d9e4f61d4f7bc8
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.continentalmanpower.com - Port:
26 - Username:
[email protected] - Password:
MumCon05
51386575-9c41-482f-8c0b-bba72d83b6ee
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:MumCon05 _EmailPort:26 _EmailSSL:true _EmailServer:mail.continentalmanpower.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:51386575-9c41-482f-8c0b-bba72d83b6ee _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1036-61-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1036-62-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1036-63-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
xSL4FcGiFNAXgLg.exexSL4FcGiFNAXgLg.exedescription pid process target process PID 760 set thread context of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 1036 set thread context of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exexSL4FcGiFNAXgLg.exepid process 1700 vbc.exe 1036 xSL4FcGiFNAXgLg.exe 1036 xSL4FcGiFNAXgLg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xSL4FcGiFNAXgLg.exedescription pid process Token: SeDebugPrivilege 1036 xSL4FcGiFNAXgLg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
xSL4FcGiFNAXgLg.exexSL4FcGiFNAXgLg.exedescription pid process target process PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe schtasks.exe PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe schtasks.exe PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe schtasks.exe PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe schtasks.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe xSL4FcGiFNAXgLg.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbCowtz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D29.tmp"2⤵
- Creates scheduled task(s)
PID:784 -
C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3bb7923d81db2a5d96e46b5fe5eb6fcf
SHA1aadb052a1879176a1e85303aa535810f35049aaa
SHA256cea8cddc25a15acd2e102f6f38488f3bd9218e49d70e4bc8d24da79ba66bd640
SHA512ba9929fec4d75e8c42a12b0a682d97790f4a03384d41b1ef19ca0e5a7a95077a1c6dfb06f981fe2f6a5f2cd918aeee1b3ecf19e68c9355f57267e64140976f2d
-
MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84