Malware Analysis Report

2025-01-18 02:38

Sample ID 220205-ng4pcsaha2
Target ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf
SHA256 ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf
Tags
hawkeye_reborn m00nd3v_logger collection evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf

Threat Level: Known bad

The file ae41668b1efcfcb42794f2110f208b68265a5e2258102a5d84e9d067c6b6e3cf was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn m00nd3v_logger collection evasion keylogger spyware stealer trojan

HawkEye Reborn

M00nd3v_Logger

Modifies Windows Defender Real-time Protection settings

M00nD3v Logger Payload

Reads user/profile data of web browsers

Windows security modification

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

outlook_office_path

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 11:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 11:23

Reported

2022-02-05 11:25

Platform

win7-en-20211208

Max time kernel

89s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

Modifies Windows Defender Real-time Protection settings

evasion trojan

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\elPqST" /XML "C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp"

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1092-54-0x0000000075831000-0x0000000075833000-memory.dmp

memory/1092-55-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1092-56-0x0000000002451000-0x0000000002452000-memory.dmp

memory/1140-60-0x0000000002180000-0x0000000002181000-memory.dmp

memory/1140-61-0x0000000002181000-0x0000000002182000-memory.dmp

memory/1140-62-0x0000000002182000-0x0000000002184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp

MD5 8f7daaa8b0f42433e1b8208d7a606bce
SHA1 6d515aa16686dae97ecd4bac4512263d16715362
SHA256 7ba32b1f4cf32a3c2dd8b7e04cbbc19d05534ba809530f34dc791fd252adb8f3
SHA512 aa627ff814b24e477e2f74fdcc9b65f8507dfffcaa277d028de511231b3de990a5513df115de49dd782855af400c6234dfe639bb437096a970c0811a2f5209a2

memory/684-64-0x0000000000400000-0x0000000000490000-memory.dmp

memory/684-65-0x0000000000400000-0x0000000000490000-memory.dmp

memory/684-66-0x0000000000400000-0x0000000000490000-memory.dmp

memory/684-67-0x0000000000400000-0x0000000000490000-memory.dmp

memory/684-68-0x0000000000400000-0x0000000000490000-memory.dmp

memory/684-70-0x0000000000C30000-0x0000000000C31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 11:23

Reported

2022-02-05 11:25

Platform

win10v2004-en-20220113

Max time kernel

91s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY LIST PO#0007865243482987267 ,pdf.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 67.26.111.254:80 tcp
NL 104.110.191.133:80 tcp

Files

memory/3436-130-0x000001C823B70000-0x000001C823B80000-memory.dmp

memory/3436-137-0x000001C8268F0000-0x000001C8268F4000-memory.dmp