Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:49
Static task
static1
Behavioral task
behavioral1
Sample
Payment advance dt05-05-20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment advance dt05-05-20.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment advance dt05-05-20.exe
-
Size
869KB
-
MD5
404d962ed65c45090d72af16d3687dd4
-
SHA1
606c2107cef6b6b8299d7e4646a4120ae7875b10
-
SHA256
4956815155a6d0bd7982592e7e45cfd19be020f92c26e6077051f86a64b77578
-
SHA512
4de06a947f646f4518dd5e12214ed5ccea551916d6c54d5eea844cbf8a8337872a41fd705718d973e695d0536b227738bdef168ae2e7bcce65c03f05999b0057
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tsnewdawn2018
18fb0183-a312-4c1a-9aa0-f10270aac54e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tsnewdawn2018 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:18fb0183-a312-4c1a-9aa0-f10270aac54e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/1432-61-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1432-62-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1432-63-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1432-64-0x000000000048A1DE-mapping.dmp m00nd3v_logger behavioral1/memory/1432-66-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1432-68-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription pid process target process PID 2024 set thread context of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Payment advance dt05-05-20.exePayment advance dt05-05-20.exepid process 2024 Payment advance dt05-05-20.exe 2024 Payment advance dt05-05-20.exe 2024 Payment advance dt05-05-20.exe 1432 Payment advance dt05-05-20.exe 1432 Payment advance dt05-05-20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment advance dt05-05-20.exePayment advance dt05-05-20.exedescription pid process Token: SeDebugPrivilege 2024 Payment advance dt05-05-20.exe Token: SeDebugPrivilege 1432 Payment advance dt05-05-20.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment advance dt05-05-20.exedescription pid process target process PID 2024 wrote to memory of 1896 2024 Payment advance dt05-05-20.exe schtasks.exe PID 2024 wrote to memory of 1896 2024 Payment advance dt05-05-20.exe schtasks.exe PID 2024 wrote to memory of 1896 2024 Payment advance dt05-05-20.exe schtasks.exe PID 2024 wrote to memory of 1896 2024 Payment advance dt05-05-20.exe schtasks.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2024 wrote to memory of 1432 2024 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe -
outlook_office_path 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe -
outlook_win_path 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NZXAXapOv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp24B1.tmp"2⤵
- Creates scheduled task(s)
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51a503bdddf4fc41454cab32aeac8e316
SHA105fbb6220606ef799f16f646a20497728f5116e7
SHA256f1e166bc0bb9c53012e60f9ea3c15db2e58c04ef9e43986faa0de9d63b382f17
SHA51297f7ecea8b227789ec42efea0b2247afa2d3ff30f27590b11d92321d18165662fc327c8eb166de8b241acab3361e33a94e96c37ad476a46b5a615bbd69106a9a