Analysis Overview
SHA256
8db8c4d8cf585fc858ef52a8449f3172536dde3e4d9611b11426e1b3e88598d2
Threat Level: Known bad
The file 8db8c4d8cf585fc858ef52a8449f3172536dde3e4d9611b11426e1b3e88598d2 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 13:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 13:01
Reported
2022-02-05 13:04
Platform
win7-en-20211208
Max time kernel
136s
Max time network
146s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
Modifies Windows Defender Real-time Protection settings
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1180 set thread context of 1700 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WkGggWLmOAqiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1257.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1604-54-0x0000000000830000-0x00000000008A6000-memory.dmp
memory/1604-55-0x0000000074F01000-0x0000000074F03000-memory.dmp
memory/1604-56-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
memory/1180-57-0x0000000000B40000-0x0000000000B4C000-memory.dmp
memory/1180-58-0x0000000004970000-0x00000000049E6000-memory.dmp
memory/1180-60-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/1180-61-0x0000000000510000-0x0000000000518000-memory.dmp
memory/1180-62-0x0000000000A20000-0x0000000000A96000-memory.dmp
memory/1180-63-0x0000000005040000-0x00000000050A8000-memory.dmp
memory/1180-64-0x00000000051E0000-0x000000000526E000-memory.dmp
memory/724-68-0x0000000002430000-0x000000000307A000-memory.dmp
memory/724-69-0x0000000002430000-0x000000000307A000-memory.dmp
memory/724-70-0x0000000002430000-0x000000000307A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1257.tmp
| MD5 | 55cc3c5965b916cc1e28fe1146395565 |
| SHA1 | 52386dc0886f2914edf2d199cd7fbb1fea1449ea |
| SHA256 | aac2fca48130676e4c01d4c5d0856312722848457862b5f45660306cd05d7745 |
| SHA512 | aa995865384df86f96722e2f23d53eb79353bfbbcc68f97a4f5efcea59f0a864830ae0b27a396d5d631e67e33a78b49367fc0c80cd44c2fa2c671d43bb18e286 |
memory/1700-72-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-73-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-74-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-75-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-76-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-77-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1700-78-0x0000000000210000-0x0000000000216000-memory.dmp
memory/1700-80-0x0000000004A90000-0x0000000004A91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 13:01
Reported
2022-02-05 13:04
Platform
win10v2004-en-20220113
Max time kernel
16s
Max time network
24s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\LATEST PRECAUTIONARY MEASURES_pdf.exe"
Network
Files
memory/4064-130-0x0000000000F30000-0x0000000000FA6000-memory.dmp
memory/4064-131-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/4064-132-0x0000000005990000-0x0000000005A22000-memory.dmp