Analysis
-
max time kernel
161s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:58
Static task
static1
Behavioral task
behavioral1
Sample
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
Resource
win10v2004-20220414-en
General
-
Target
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe
-
Size
1.0MB
-
MD5
a8ce97b006581f5df23ab2b23c2d0d18
-
SHA1
8f5b076487470b2ae6f8d51243315a14ded7da58
-
SHA256
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d
-
SHA512
cd6f1c402a0ad2dd7688ed97fe67ba1374044eba85f4446f061db5a03bda5a7f597b3e73364bcc2cfe5c4affe6514cc6c5e49d14bcaba7597ba71beac44f7671
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/2024-136-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/380-139-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/380-139-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exedescription pid process target process PID 3368 set thread context of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 2024 set thread context of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exedescription pid process Token: SeDebugPrivilege 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exedescription pid process target process PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 3368 wrote to memory of 2024 3368 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe PID 2024 wrote to memory of 380 2024 49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"C:\Users\Admin\AppData\Local\Temp\49d828447e0e7fc82bc34b2ebc6c6189b218620ea1dd04050a38f7e23048f30d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8875.tmp"3⤵PID:380