Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT SWIFT COPY.pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PAYMENT SWIFT COPY.pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
PAYMENT SWIFT COPY.pdf.exe
-
Size
970KB
-
MD5
fd7ef2eeb906cad24856562a2d2ea4d5
-
SHA1
d15359eb35d6ed3fd7c31044f2f5211309caf535
-
SHA256
6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1
-
SHA512
fc9e3b6fc15c6584786da6210020cd3af6f0988254036fa2d630c1f4404015c7013ae7d8db98de3b5ca8413724e353bd1de50a98cd9239813ab825dd14564962
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.continentalmanpower.com - Port:
587 - Username:
[email protected] - Password:
MumCon05
8d67e9d2-69dd-4a3a-baeb-fb3c2b6cde4f
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:MumCon05 _EmailPort:587 _EmailSSL:true _EmailServer:mail.continentalmanpower.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:8d67e9d2-69dd-4a3a-baeb-fb3c2b6cde4f _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1552-60-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1552-61-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1552-62-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/856-70-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView behavioral1/memory/856-73-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/856-70-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft behavioral1/memory/856-73-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
PAYMENT SWIFT COPY.pdf.exePAYMENT SWIFT COPY.pdf.exedescription pid process target process PID 2008 set thread context of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 1552 set thread context of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 856 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
PAYMENT SWIFT COPY.pdf.exePAYMENT SWIFT COPY.pdf.exedescription pid process target process PID 2008 wrote to memory of 1448 2008 PAYMENT SWIFT COPY.pdf.exe schtasks.exe PID 2008 wrote to memory of 1448 2008 PAYMENT SWIFT COPY.pdf.exe schtasks.exe PID 2008 wrote to memory of 1448 2008 PAYMENT SWIFT COPY.pdf.exe schtasks.exe PID 2008 wrote to memory of 1448 2008 PAYMENT SWIFT COPY.pdf.exe schtasks.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 2008 wrote to memory of 1552 2008 PAYMENT SWIFT COPY.pdf.exe PAYMENT SWIFT COPY.pdf.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe PID 1552 wrote to memory of 856 1552 PAYMENT SWIFT COPY.pdf.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TTchoqyHVlZPe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCA9.tmp"2⤵
- Creates scheduled task(s)
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.pdf.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF804.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85fe41cbc64bdf6794ff321a686a43ed
SHA152e13dac6602aa1ce758a0ada18dedcf7b4786bd
SHA2563d7a40fd166602a42659d4e5b7ff926e89da09d4a0f43a4413f6cdc5b10620e1
SHA512cbff1a8b9f6fb971d546bb399d8fbef8c42e3873dc52b19812005a8d7f285b76f81b7beb781011e68d78c8b1c9aa63432599b247658eea827c0c899fa45a107a
-
MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84