Analysis
-
max time kernel
35s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:32
General
-
Target
new order.exe
-
Size
652KB
-
MD5
f7c7f0a5013e02a835742f2ebe1720ea
-
SHA1
ac3a7698bac99d8e008c63c55077f418d4e65c1f
-
SHA256
73878e34b785ba5dd951e4af104d6f68416b07f487584a1963c5b63913615eb3
-
SHA512
d80bd0eade50e693b306a71a0542a3f8e01466f7ba4fcc09b3dc0d6cc4611c14d5e662b1ec94b7e3742f41ca164a8bd6f575e2fbfa44a527181f9adc82d347ae
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
bernini.hosting-mexico.net - Port:
26 - Username:
[email protected] - Password:
cs50@pass1
c3146bd4-fb85-4a81-9b90-72b32426f59a
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:cs50@pass1 _EmailPort:26 _EmailSSL:true _EmailServer:bernini.hosting-mexico.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:c3146bd4-fb85-4a81-9b90-72b32426f59a _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
-
M00nD3v Logger Payload 6 IoCs
Detects M00nD3v Logger payload in memory.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RaxvLIufoL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73AB.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d3bb19d376a72808a7c785c5dcffcebc
SHA1711300b6aca92f38dad64207c1abd935871fd82c
SHA256f05e0ec7441cc2b206d3ef81a853932d6f23925ba908e2a34d3dfaade183b46b
SHA51200988d097f3abdea238cb974aea3f43c87b139c7d702a8be00d504a390d2613b740d3788b2fdbdaecef38c891eb61fe949dd8c417966f09ca7e3c8d3e66ac9b0
-
Filesize
680KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
600KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
24KB
-
Filesize
68KB