Analysis
-
max time kernel
159s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:49
Static task
static1
Behavioral task
behavioral1
Sample
Payment advance dt05-05-20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment advance dt05-05-20.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment advance dt05-05-20.exe
-
Size
869KB
-
MD5
404d962ed65c45090d72af16d3687dd4
-
SHA1
606c2107cef6b6b8299d7e4646a4120ae7875b10
-
SHA256
4956815155a6d0bd7982592e7e45cfd19be020f92c26e6077051f86a64b77578
-
SHA512
4de06a947f646f4518dd5e12214ed5ccea551916d6c54d5eea844cbf8a8337872a41fd705718d973e695d0536b227738bdef168ae2e7bcce65c03f05999b0057
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tsnewdawn2018
18fb0183-a312-4c1a-9aa0-f10270aac54e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tsnewdawn2018 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:18fb0183-a312-4c1a-9aa0-f10270aac54e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/3768-134-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment advance dt05-05-20.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Payment advance dt05-05-20.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription pid process target process PID 2920 set thread context of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Payment advance dt05-05-20.exePayment advance dt05-05-20.exepid process 2920 Payment advance dt05-05-20.exe 2920 Payment advance dt05-05-20.exe 2920 Payment advance dt05-05-20.exe 2920 Payment advance dt05-05-20.exe 3768 Payment advance dt05-05-20.exe 3768 Payment advance dt05-05-20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment advance dt05-05-20.exePayment advance dt05-05-20.exedescription pid process Token: SeDebugPrivilege 2920 Payment advance dt05-05-20.exe Token: SeDebugPrivilege 3768 Payment advance dt05-05-20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Payment advance dt05-05-20.exedescription pid process target process PID 2920 wrote to memory of 4340 2920 Payment advance dt05-05-20.exe schtasks.exe PID 2920 wrote to memory of 4340 2920 Payment advance dt05-05-20.exe schtasks.exe PID 2920 wrote to memory of 4340 2920 Payment advance dt05-05-20.exe schtasks.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe PID 2920 wrote to memory of 3768 2920 Payment advance dt05-05-20.exe Payment advance dt05-05-20.exe -
outlook_office_path 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe -
outlook_win_path 1 IoCs
Processes:
Payment advance dt05-05-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment advance dt05-05-20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NZXAXapOv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2192.tmp"2⤵
- Creates scheduled task(s)
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\Payment advance dt05-05-20.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5382ddc7d4dbd6cff435d8de1c421d973
SHA1e037517fa2a216f7a1e9444d8318199786f56ad2
SHA2567ba62856bb5a524b5472eaab12d02944c6a7bb6cd20c2f8bcb927cec69db5a42
SHA512e323c4dd52c8a31ce5f464dd0211ee380666c0fe8c71ed3950ca06f8848153de8e97a702fc8d24db7e9ef3967c9fbf325ed96bbf0cab4703d8d3500e1cdb363a