Analysis
-
max time kernel
67s -
max time network
31s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
Receipt_010000002097_04292020.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Receipt_010000002097_04292020.exe
Resource
win10v2004-en-20220113
General
-
Target
Receipt_010000002097_04292020.exe
-
Size
730KB
-
MD5
4784be90b3ae66de28444acd653179a1
-
SHA1
aead58074a9ee2793e20c20fbb0d3d4f833cffb5
-
SHA256
707cd5b94d99a4276668d4a8a50685dfc005259542e78786553d2c82bcd01c89
-
SHA512
80b430f6e9e674882edd5a3190b7e78735b4cc136109472ef9618d4277fb80d411b6f173f6e7b00c65f5135d7a8b6739618809686ae198c8f38b9b2f2548ea12
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: ftp- Host:
ftp.airbiast.com - Port:
21 - Username:
[email protected] - Password:
playboy123#
40f2c4d7-d616-43ae-974d-93b4bdc7e04d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1592-61-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1592-62-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1592-63-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1592-64-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/616-57-0x0000000000450000-0x00000000004E8000-memory.dmp rezer0 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Receipt_010000002097_04292020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Receipt_010000002097_04292020.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Receipt_010000002097_04292020.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Receipt_010000002097_04292020.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Receipt_010000002097_04292020.exedescription pid process target process PID 616 set thread context of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Receipt_010000002097_04292020.exepid process 616 Receipt_010000002097_04292020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Receipt_010000002097_04292020.exeReceipt_010000002097_04292020.exedescription pid process Token: SeDebugPrivilege 616 Receipt_010000002097_04292020.exe Token: SeDebugPrivilege 1592 Receipt_010000002097_04292020.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Receipt_010000002097_04292020.exedescription pid process target process PID 616 wrote to memory of 1648 616 Receipt_010000002097_04292020.exe schtasks.exe PID 616 wrote to memory of 1648 616 Receipt_010000002097_04292020.exe schtasks.exe PID 616 wrote to memory of 1648 616 Receipt_010000002097_04292020.exe schtasks.exe PID 616 wrote to memory of 1648 616 Receipt_010000002097_04292020.exe schtasks.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe PID 616 wrote to memory of 1592 616 Receipt_010000002097_04292020.exe Receipt_010000002097_04292020.exe -
outlook_office_path 1 IoCs
Processes:
Receipt_010000002097_04292020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Receipt_010000002097_04292020.exe -
outlook_win_path 1 IoCs
Processes:
Receipt_010000002097_04292020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Receipt_010000002097_04292020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\naityLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34A.tmp"2⤵
- Creates scheduled task(s)
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
612d8e5b7d732cbb511eb015c00d27c0
SHA1618fc167011e68508cb6300021083adfd54c57ea
SHA256948255a97b6056dee225b2ef10b0df66b24db9c27c36745a8da02a30a0adcb55
SHA5125a123d76674c4e8a11d142ec76a8a681cb4c136127e251906974c6f0cc1299c48d6eb4169e600a48ee51052a278912cfa8bc7c1cd3c934d1dd75f1e1d67c9876