Analysis
-
max time kernel
188s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-05-2022 04:55
General
-
Target
RFQ for Supply of Pipe FittingsValves for Al-Zour Refinery (KIPIC).exe
-
Size
1.7MB
-
MD5
e018a68c40d9f97e7c0a2e922b661acd
-
SHA1
e4fa8d11849cd1d6611efe3fdfb1261ec0824ed3
-
SHA256
8b3b885a96e02bc4d3147259d56232859bc61086621d14a9ad0d4f40bd392756
-
SHA512
a2d09ed2da4c4e6ad7f0f3126d5a933e5b1df7bf276aac9418292c0a6b92b83e46961df67550ad15143318189b3adfda3d6914394ba2f06cb610587d031c17b3
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 9 IoCs
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
-
Nirsoft 10 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops startup file 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ for Supply of Pipe FittingsValves for Al-Zour Refinery (KIPIC).exe"C:\Users\Admin\AppData\Local\Temp\RFQ for Supply of Pipe FittingsValves for Al-Zour Refinery (KIPIC).exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn RDojti /MO 1 /tr "C:\Users\Admin\anytin\anytin.exe\2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF410.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA20B.tmp"3⤵
- Accesses Microsoft Outlook accounts
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A8D6C60E-BCE4-4973-82C6-282D8302DF13} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\anytin\anytin.exeC:\Users\Admin\anytin\anytin.exe "C:\Users\Admin\anytin\anytin.exe\"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2D77.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\anytin\anytin.exeC:\Users\Admin\anytin\anytin.exe "C:\Users\Admin\anytin\anytin.exe\"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1594.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
66B
MD52277309355e8d81e58a2fbd1ba03fe43
SHA12bdcc45d15e7ab0b1394d6eb533490e1f5ce60cb
SHA256ed17e49ecb0ccde0d740b3b5af40ef90f0a900796e4310afb1dfbf1a42b23635
SHA512a3b7b937ffab3c80ca863efb3e7993656ea58f4aad4ded32e0ef1d699a2fcad6c2f383216482fb9205bf30ed36c71a659b18cb11b0480b3b7bfb7da448ab074c
-
Filesize
66B
MD52277309355e8d81e58a2fbd1ba03fe43
SHA12bdcc45d15e7ab0b1394d6eb533490e1f5ce60cb
SHA256ed17e49ecb0ccde0d740b3b5af40ef90f0a900796e4310afb1dfbf1a42b23635
SHA512a3b7b937ffab3c80ca863efb3e7993656ea58f4aad4ded32e0ef1d699a2fcad6c2f383216482fb9205bf30ed36c71a659b18cb11b0480b3b7bfb7da448ab074c
-
Filesize
1.7MB
MD5e018a68c40d9f97e7c0a2e922b661acd
SHA1e4fa8d11849cd1d6611efe3fdfb1261ec0824ed3
SHA2568b3b885a96e02bc4d3147259d56232859bc61086621d14a9ad0d4f40bd392756
SHA512a2d09ed2da4c4e6ad7f0f3126d5a933e5b1df7bf276aac9418292c0a6b92b83e46961df67550ad15143318189b3adfda3d6914394ba2f06cb610587d031c17b3
-
Filesize
1.7MB
MD5e018a68c40d9f97e7c0a2e922b661acd
SHA1e4fa8d11849cd1d6611efe3fdfb1261ec0824ed3
SHA2568b3b885a96e02bc4d3147259d56232859bc61086621d14a9ad0d4f40bd392756
SHA512a2d09ed2da4c4e6ad7f0f3126d5a933e5b1df7bf276aac9418292c0a6b92b83e46961df67550ad15143318189b3adfda3d6914394ba2f06cb610587d031c17b3
-
Filesize
1.7MB
MD5e018a68c40d9f97e7c0a2e922b661acd
SHA1e4fa8d11849cd1d6611efe3fdfb1261ec0824ed3
SHA2568b3b885a96e02bc4d3147259d56232859bc61086621d14a9ad0d4f40bd392756
SHA512a2d09ed2da4c4e6ad7f0f3126d5a933e5b1df7bf276aac9418292c0a6b92b83e46961df67550ad15143318189b3adfda3d6914394ba2f06cb610587d031c17b3
-
Filesize
5.7MB
-
Filesize
7.6MB
-
Filesize
11.9MB
-
Filesize
1.6MB
-
Filesize
1.0MB
-
Filesize
1.6MB
-
Filesize
11.9MB
-
Filesize
1.5MB
-
Filesize
7.6MB
-
Filesize
11.0MB
-
Filesize
5.7MB
-
Filesize
11.0MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
19.6MB
-
Filesize
48KB
-
Filesize
576KB
-
Filesize
1.7MB
-
Filesize
7.2MB
-
Filesize
13.1MB
-
Filesize
1008KB
-
Filesize
1.8MB
-
Filesize
7.9MB
-
Filesize
19.6MB
-
Filesize
616KB
-
Filesize
10.1MB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
11.0MB
-
Filesize
5.7MB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
1.5MB
-
Filesize
11.9MB
-
Filesize
1.0MB
-
Filesize
11.0MB
-
Filesize
5.7MB
-
Filesize
7.6MB
-
Filesize
1.6MB
-
Filesize
1.0MB
-
Filesize
7.2MB
-
Filesize
19.6MB
-
Filesize
1.6MB
-
Filesize
1.8MB
-
Filesize
7.9MB
-
Filesize
10.1MB
-
Filesize
1008KB
-
Filesize
13.1MB
-
Filesize
19.6MB
-
Filesize
13.1MB
-
Filesize
10.1MB
-
Filesize
1.6MB
-
Filesize
5.7MB
-
Filesize
10.1MB
-
Filesize
1.7MB
-
Filesize
19.6MB
-
Filesize
1.6MB
-
Filesize
1008KB
-
Filesize
7.2MB
-
Filesize
7.9MB
-
Filesize
13.1MB
-
Filesize
13.1MB
-
Filesize
1.6MB
-
Filesize
19.6MB
-
Filesize
1.8MB
-
Filesize
10.1MB
-
Filesize
8KB