Analysis
-
max time kernel
24s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
Receipt_01000002097_04292020.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Receipt_01000002097_04292020.exe
Resource
win10v2004-en-20220113
General
-
Target
Receipt_01000002097_04292020.exe
-
Size
656KB
-
MD5
b0663cf3327d48337e5766a947d21417
-
SHA1
f74d145cf40f6ebc6fe0c5ad6082c3ea86942c98
-
SHA256
f17b34a25b38f624ce1dc8c5f36cefbf3a989b77714f4c566c085c56f03c8fbb
-
SHA512
bab2ff206d991f2b8a9f9e4f5d07c1f95fe3aed2eda2bf807d05db3e18ddcb76fef3cc4c0e4a02641848145edba89d81e972f69caeee3b8a7867c2847ea98e83
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: ftp- Host:
ftp.airbiast.com - Port:
21 - Username:
[email protected] - Password:
playboy123#
40f2c4d7-d616-43ae-974d-93b4bdc7e04d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/1892-138-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Receipt_01000002097_04292020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Receipt_01000002097_04292020.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Receipt_01000002097_04292020.exedescription pid process target process PID 2348 set thread context of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Receipt_01000002097_04292020.exepid process 2348 Receipt_01000002097_04292020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Receipt_01000002097_04292020.exedescription pid process Token: SeDebugPrivilege 2348 Receipt_01000002097_04292020.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Receipt_01000002097_04292020.exedescription pid process target process PID 2348 wrote to memory of 4772 2348 Receipt_01000002097_04292020.exe schtasks.exe PID 2348 wrote to memory of 4772 2348 Receipt_01000002097_04292020.exe schtasks.exe PID 2348 wrote to memory of 4772 2348 Receipt_01000002097_04292020.exe schtasks.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe PID 2348 wrote to memory of 1892 2348 Receipt_01000002097_04292020.exe Receipt_01000002097_04292020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe"C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UIPykxfugaVz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8819.tmp"2⤵
- Creates scheduled task(s)
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe"{path}"2⤵PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a16292181d69aa397f0e4e6f3c5219f8
SHA1224b3dd94c906f641b3f64ab46f04c74cdb4afeb
SHA2562e7a86b3061fb50945e2c1c41e8ba60ec7304ad973ae5fb7a18fc558313ee87c
SHA51242e2cea4763e24d60bd6e043ab61e8b3a1b04816048a1284c9ac16604452920a708a7bde6c78619c23511ba0e13d42be5b1cb1e75a2e00ff6c49bf21042b0975