Analysis
-
max time kernel
137s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
URAntWWIDAKGWvH.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
URAntWWIDAKGWvH.exe
Resource
win10v2004-en-20220112
General
-
Target
URAntWWIDAKGWvH.exe
-
Size
938KB
-
MD5
a6878e0f706ce30c91d3536cf7a868f9
-
SHA1
ed2f0c27809876a2e297552fc270ea5d58c92be5
-
SHA256
262f885facb446834a04e4af5746633127d68e9e68ce157052bad0b7404a4c16
-
SHA512
c90b904ca16673b0efc633428d929cd7db87b8b16777b7dcd9a0af7dbb38afb074592288761f8a8ee6dbadd5b5bf28e3c9b5fb2bb017164d3d56a489bbc14879
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: ftp- Host:
ftp.aramrak.eu - Port:
21 - Username:
[email protected] - Password:
admin2020#
9d0dde5f-d32b-42e1-88e9-8b122ebe267b
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:admin2020# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.aramrak.eu _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:9d0dde5f-d32b-42e1-88e9-8b122ebe267b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1772-63-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1772-64-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1772-65-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1772-66-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/840-59-0x0000000007EB0000-0x0000000007F48000-memory.dmp rezer0 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
URAntWWIDAKGWvH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URAntWWIDAKGWvH.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URAntWWIDAKGWvH.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URAntWWIDAKGWvH.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
URAntWWIDAKGWvH.exedescription pid process target process PID 840 set thread context of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
URAntWWIDAKGWvH.exepid process 840 URAntWWIDAKGWvH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
URAntWWIDAKGWvH.exeURAntWWIDAKGWvH.exedescription pid process Token: SeDebugPrivilege 840 URAntWWIDAKGWvH.exe Token: SeDebugPrivilege 1772 URAntWWIDAKGWvH.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
URAntWWIDAKGWvH.exedescription pid process target process PID 840 wrote to memory of 1752 840 URAntWWIDAKGWvH.exe schtasks.exe PID 840 wrote to memory of 1752 840 URAntWWIDAKGWvH.exe schtasks.exe PID 840 wrote to memory of 1752 840 URAntWWIDAKGWvH.exe schtasks.exe PID 840 wrote to memory of 1752 840 URAntWWIDAKGWvH.exe schtasks.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe PID 840 wrote to memory of 1772 840 URAntWWIDAKGWvH.exe URAntWWIDAKGWvH.exe -
outlook_office_path 1 IoCs
Processes:
URAntWWIDAKGWvH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URAntWWIDAKGWvH.exe -
outlook_win_path 1 IoCs
Processes:
URAntWWIDAKGWvH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 URAntWWIDAKGWvH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGCsZVSPdCGAaI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp"2⤵
- Creates scheduled task(s)
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\URAntWWIDAKGWvH.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7ac982f0c7e55ba4f2d38e02ddc7485
SHA186c8813c31f1385161a4b04db962e8489880d314
SHA25601b93d3d89dafc9b2ebf889d4011b304f93e8f6f1d74b3435c688402163ae2bc
SHA512a0729cd06f1a19ad4f54258bb23132b2834e818a46036121632c484d1e32edaa7e63915b7c127a7ccb7bd0c7b8290b91a69e9bf3bb543f7e5d5af6ae2f1f6006