Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
Resource
win10v2004-20220414-en
General
-
Target
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
-
Size
780KB
-
MD5
019a382b39aab63505bc3a03b46a91c3
-
SHA1
589989f06ac303cc88d1dc3f5478976894aa7ed3
-
SHA256
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c
-
SHA512
b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/3556-141-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdobeAcrobat18.exeAdobeAcrobat18.exepid process 100 AdobeAcrobat18.exe 3556 AdobeAcrobat18.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AdobeAcrobat18.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat 18 = "C:\\Users\\Admin\\AppData\\Local\\AdobeAcrobat18.exe -boot" AdobeAcrobat18.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
AdobeAcrobat18.exeAdobeAcrobat18.exedescription pid process target process PID 100 set thread context of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 3556 set thread context of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 set thread context of 4772 3556 AdobeAcrobat18.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
vbc.exeAdobeAcrobat18.exepid process 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3136 vbc.exe 3556 AdobeAcrobat18.exe 3556 AdobeAcrobat18.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exeAdobeAcrobat18.exeAdobeAcrobat18.exedescription pid process Token: SeDebugPrivilege 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe Token: SeDebugPrivilege 100 AdobeAcrobat18.exe Token: SeDebugPrivilege 3556 AdobeAcrobat18.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AdobeAcrobat18.exepid process 3556 AdobeAcrobat18.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exeexplorer.exeAdobeAcrobat18.exeAdobeAcrobat18.exedescription pid process target process PID 1684 wrote to memory of 1712 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe cmd.exe PID 1684 wrote to memory of 1712 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe cmd.exe PID 1684 wrote to memory of 1712 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe cmd.exe PID 1684 wrote to memory of 2340 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe explorer.exe PID 1684 wrote to memory of 2340 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe explorer.exe PID 1684 wrote to memory of 2340 1684 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe explorer.exe PID 2036 wrote to memory of 100 2036 explorer.exe AdobeAcrobat18.exe PID 2036 wrote to memory of 100 2036 explorer.exe AdobeAcrobat18.exe PID 2036 wrote to memory of 100 2036 explorer.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 100 wrote to memory of 3556 100 AdobeAcrobat18.exe AdobeAcrobat18.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 3136 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe PID 3556 wrote to memory of 4772 3556 AdobeAcrobat18.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe"C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe" "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp"4⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exeFilesize
780KB
MD5019a382b39aab63505bc3a03b46a91c3
SHA1589989f06ac303cc88d1dc3f5478976894aa7ed3
SHA25618c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c
SHA512b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a
-
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exeFilesize
780KB
MD5019a382b39aab63505bc3a03b46a91c3
SHA1589989f06ac303cc88d1dc3f5478976894aa7ed3
SHA25618c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c
SHA512b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a
-
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exeFilesize
780KB
MD5019a382b39aab63505bc3a03b46a91c3
SHA1589989f06ac303cc88d1dc3f5478976894aa7ed3
SHA25618c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c
SHA512b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdobeAcrobat18.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpB016.tmpFilesize
4KB
MD5bdf65f70610625cc771c5cc7ce168c7d
SHA1a8829b1c071ed0521d11925a98468c12a53a03b8
SHA256b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5
SHA512add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4
-
memory/100-137-0x0000000000000000-mapping.dmp
-
memory/100-139-0x0000000004E90000-0x0000000004F2C000-memory.dmpFilesize
624KB
-
memory/1684-133-0x00000000075C0000-0x00000000075CA000-memory.dmpFilesize
40KB
-
memory/1684-130-0x0000000000190000-0x000000000025C000-memory.dmpFilesize
816KB
-
memory/1684-132-0x00000000074F0000-0x0000000007582000-memory.dmpFilesize
584KB
-
memory/1684-131-0x0000000007A00000-0x0000000007FA4000-memory.dmpFilesize
5.6MB
-
memory/1712-134-0x0000000000000000-mapping.dmp
-
memory/2340-135-0x0000000000000000-mapping.dmp
-
memory/3136-145-0x0000000000000000-mapping.dmp
-
memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/3556-141-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/3556-140-0x0000000000000000-mapping.dmp
-
memory/3556-144-0x00000000053E0000-0x0000000005446000-memory.dmpFilesize
408KB
-
memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4772-151-0x0000000000000000-mapping.dmp
-
memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB