Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 14:29
Static task
static1
Behavioral task
behavioral1
Sample
Contract Offer.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Contract Offer.exe
Resource
win10v2004-en-20220112
General
-
Target
Contract Offer.exe
-
Size
672KB
-
MD5
5d560917f54b8b3c532bccae250dd558
-
SHA1
fd1e8e6d71eeb4ed9d4288c62e3c6627c6bab15f
-
SHA256
5fb3c9a42ded740fdc4f9329592f9bc151b184e052cb17ee3e084e3f23e86465
-
SHA512
1ee040dc84695fb1a71d0cc86dd4f12ad5dd76882d18499b3560e1b948365142a56796af182dcde323f7d5a3c33c75c25c7e9d0c5b1cee6ca550982c957f0fbf
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
333link00win
6ab1d9e0-a54f-4834-962b-f8a6a128cbbe
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:333link00win _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:6ab1d9e0-a54f-4834-962b-f8a6a128cbbe _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1120-61-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1120-62-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1120-63-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1936-71-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1936-73-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-71-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1936-73-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Contract Offer.exeContract Offer.exedescription pid process target process PID 2032 set thread context of 1120 2032 Contract Offer.exe Contract Offer.exe PID 1120 set thread context of 1936 1120 Contract Offer.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Contract Offer.exepid process 2032 Contract Offer.exe 2032 Contract Offer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Contract Offer.exedescription pid process Token: SeDebugPrivilege 2032 Contract Offer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Contract Offer.exeContract Offer.exedescription pid process target process PID 2032 wrote to memory of 652 2032 Contract Offer.exe schtasks.exe PID 2032 wrote to memory of 652 2032 Contract Offer.exe schtasks.exe PID 2032 wrote to memory of 652 2032 Contract Offer.exe schtasks.exe PID 2032 wrote to memory of 652 2032 Contract Offer.exe schtasks.exe PID 2032 wrote to memory of 1628 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1628 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1628 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1628 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 2032 wrote to memory of 1120 2032 Contract Offer.exe Contract Offer.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe PID 1120 wrote to memory of 1936 1120 Contract Offer.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe"C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fnqjKoK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8526.tmp"2⤵
- Creates scheduled task(s)
PID:652 -
C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe"{path}"2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\Contract Offer.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp76F.tmp"3⤵PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2d749d13a9fe8379095e985a2c38953d
SHA199bce2cdfc36ebd2170d07cd06a03a1815f01733
SHA256e86f4540f7d6470c6eb65e1a875faf3bdd0dcccec788586f4c95fe25745db34d
SHA512d67b53fb17035fb7c62b000fc141188ce3c68568a60ca0dc2ee782c23c1d53d9bf90d4ae13979afd3c3c98261987023668013f1e000a7b89720f22e1c1f02260