Analysis
-
max time kernel
153s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Resource
win10v2004-en-20220112
General
-
Target
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
-
Size
964KB
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
-
SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7
-
SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
-
SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2364-141-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Executes dropped EXE 2 IoCs
Processes:
chrome.exechrome.exepid process 3680 chrome.exe 2364 chrome.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation chrome.exe -
Drops startup file 5 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\chrome.exe -boot" chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chrome.exedescription pid process target process PID 3680 set thread context of 2364 3680 chrome.exe chrome.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.111132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887158764067776" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exechrome.exedescription pid process Token: SeDebugPrivilege 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe Token: SeDebugPrivilege 3680 chrome.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.execmd.exechrome.exedescription pid process target process PID 884 wrote to memory of 3924 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3924 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3924 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3016 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3016 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3016 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3452 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3452 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3452 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3380 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3380 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 884 wrote to memory of 3380 884 8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe cmd.exe PID 3380 wrote to memory of 3680 3380 cmd.exe chrome.exe PID 3380 wrote to memory of 3680 3380 cmd.exe chrome.exe PID 3380 wrote to memory of 3680 3380 cmd.exe chrome.exe PID 3680 wrote to memory of 3080 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 3080 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 3080 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 2148 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 2148 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 2148 3680 chrome.exe cmd.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe PID 3680 wrote to memory of 2364 3680 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:3924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:3016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Drops startup file
PID:3452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"4⤵
- Drops startup file
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"4⤵
- Drops startup file
PID:2148 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"4⤵
- Executes dropped EXE
PID:2364
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec
-
MD5
9cf33a9d11e1a0eddb2481e862487bb2
SHA14db6d3e61cd201bf855a1e50300d01496a231de7
SHA2568f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA51214e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec