Analysis Overview
SHA256
fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f
Threat Level: Known bad
The file fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 07:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 07:40
Reported
2022-02-05 07:43
Platform
win7-en-20211208
Max time kernel
55s
Max time network
24s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
Modifies Windows Defender Real-time Protection settings
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1452 set thread context of 984 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe
"C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WkGggWLmOAqiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D27.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1664-54-0x0000000000CD0000-0x0000000000D46000-memory.dmp
memory/1664-55-0x0000000076071000-0x0000000076073000-memory.dmp
memory/1664-56-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/1452-57-0x0000000000B10000-0x0000000000B1C000-memory.dmp
memory/1452-58-0x0000000001F20000-0x0000000001F96000-memory.dmp
memory/1452-60-0x0000000004710000-0x0000000004711000-memory.dmp
memory/1452-61-0x0000000000610000-0x0000000000618000-memory.dmp
memory/1452-62-0x0000000000660000-0x00000000006D6000-memory.dmp
memory/1452-63-0x0000000004F10000-0x0000000004F78000-memory.dmp
memory/1452-64-0x0000000007490000-0x000000000751E000-memory.dmp
memory/268-68-0x0000000002440000-0x000000000308A000-memory.dmp
memory/268-69-0x0000000002440000-0x000000000308A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2D27.tmp
| MD5 | 89e80410634cc7adce7de2b2bd0dca7d |
| SHA1 | 88ff36a8b6d0e30c9325a78827bc99a9946e8851 |
| SHA256 | 6312e3aa433c4664a8773c91f4b876734ef16832257ad6316c9bf87751649a80 |
| SHA512 | 0938bc04ad7e32a9798b7faa7859a4a47d41b81672c19fef2c7262f87dd2fb487c3e6460e4d2b7b4a7a8aa7d65a9e3f204ec75b73eab90fb205d20a94153c005 |
memory/984-71-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-72-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-73-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-74-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-75-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-76-0x0000000000400000-0x0000000000490000-memory.dmp
memory/984-77-0x0000000000550000-0x0000000000556000-memory.dmp
memory/984-79-0x0000000004A80000-0x0000000004A81000-memory.dmp
memory/984-80-0x0000000004A85000-0x0000000004A96000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 07:40
Reported
2022-02-05 07:43
Platform
win10v2004-en-20220113
Max time kernel
3s
Max time network
7s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe
"C:\Users\Admin\AppData\Local\Temp\fa933a52aefddd4d8afc31c031c7e2e2fe18a8e64caec310b0ea1a7ea2fe744f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
memory/3404-130-0x0000000000330000-0x00000000003A6000-memory.dmp
memory/3404-131-0x0000000005330000-0x00000000058D4000-memory.dmp
memory/3404-132-0x0000000004D80000-0x0000000004E12000-memory.dmp