Analysis Overview
SHA256
ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf
Threat Level: Known bad
The file ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
M00nd3v_Logger
Modifies Windows Defender Real-time Protection settings
M00nD3v Logger Payload
Reads user/profile data of web browsers
Windows security modification
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
outlook_office_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 11:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 11:23
Reported
2022-02-05 11:25
Platform
win7-en-20211208
Max time kernel
89s
Max time network
74s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
Modifies Windows Defender Real-time Protection settings
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1092 set thread context of 684 | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\elPqST" /XML "C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp"
C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1092-54-0x0000000075831000-0x0000000075833000-memory.dmp
memory/1092-55-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1092-56-0x0000000002451000-0x0000000002452000-memory.dmp
memory/1140-60-0x0000000002180000-0x0000000002181000-memory.dmp
memory/1140-61-0x0000000002181000-0x0000000002182000-memory.dmp
memory/1140-62-0x0000000002182000-0x0000000002184000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp
| MD5 | 8f7daaa8b0f42433e1b8208d7a606bce |
| SHA1 | 6d515aa16686dae97ecd4bac4512263d16715362 |
| SHA256 | 7ba32b1f4cf32a3c2dd8b7e04cbbc19d05534ba809530f34dc791fd252adb8f3 |
| SHA512 | aa627ff814b24e477e2f74fdcc9b65f8507dfffcaa277d028de511231b3de990a5513df115de49dd782855af400c6234dfe639bb437096a970c0811a2f5209a2 |
memory/684-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/684-65-0x0000000000400000-0x0000000000490000-memory.dmp
memory/684-66-0x0000000000400000-0x0000000000490000-memory.dmp
memory/684-67-0x0000000000400000-0x0000000000490000-memory.dmp
memory/684-68-0x0000000000400000-0x0000000000490000-memory.dmp
memory/684-70-0x0000000000C30000-0x0000000000C31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 11:23
Reported
2022-02-05 11:25
Platform
win10v2004-en-20220113
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3380 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3380 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3380 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 4676 wrote to memory of 2044 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
| PID 4676 wrote to memory of 2044 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 67.26.111.254:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
memory/3436-130-0x000001C823B70000-0x000001C823B80000-memory.dmp
memory/3436-137-0x000001C8268F0000-0x000001C8268F4000-memory.dmp