Overview

overview

10

Static

static

1759f99b18...22.exe

windows7_x64

10

1759f99b18...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-06-2022 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

  • Size

    1.2MB

  • MD5

    11b31d746ace8a0aa682487826a66989

  • SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

  • SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

  • SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Score
10/10
hawkeye_rebornm00nd3v_loggernanocoreevasioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • M00nD3v Logger Payload 3 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
    "C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
      "C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe"
      2⤵
      • Executes dropped EXE
      PID:1532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs"
      2⤵
      • Adds Run key to start application
      PID:1376
    • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
      "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
        C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98A8.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:1644
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C80.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
    Filesize

    552KB

    MD5

    4f499ad76962f899126bbc1994865e61

    SHA1

    f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

    SHA256

    d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

    SHA512

    28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
    Filesize

    552KB

    MD5

    4f499ad76962f899126bbc1994865e61

    SHA1

    f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

    SHA256

    d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

    SHA512

    28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs
    Filesize

    1024B

    MD5

    315c21d8d5a53bd1bb3aac14f2a45ef1

    SHA1

    b8d57d57a867055deda56e9c77ad1faf4aa96d9b

    SHA256

    ab70cc3058e7739d9a9f594b5debccabf3f6fbe62933c89f0cab7539757ce58c

    SHA512

    d94ce0cd65116cf7af2675ac6a6943d5aca6e9e7d91231d323a5fbed14d0fd349beeec84d651f12bd1a12c3778e4fc35fe95a8185d6bb22f25114812a30b70a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp98A8.tmp
    Filesize

    1KB

    MD5

    86d958ad87d58d41c1ce56c412dd81b1

    SHA1

    a8dd3abe055b7ce28c3e3c8c6de9cbea08b832bf

    SHA256

    0aa4236b808d86158cb993b8b1e125704fd66c123eae467da415bfcd6d94f7a1

    SHA512

    857bd01e7888e1dbb01cce7b97be3227baf45d43ad6c554d58a867ace6f0c0bf984aaf46dd8b986bd0bcef4f3e29cba29e11ea0fc30cfe1904a849309d9ccd19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9C80.tmp
    Filesize

    1KB

    MD5

    afb71a33ece3758f782f052bbe5da94f

    SHA1

    e69b9070ff52f81fdf01a40f775d021e4b4e71e4

    SHA256

    abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978

    SHA512

    22c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\harry stub (1).exe
    Filesize

    552KB

    MD5

    4f499ad76962f899126bbc1994865e61

    SHA1

    f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

    SHA256

    d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

    SHA512

    28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • memory/612-79-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/612-81-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/832-87-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/832-97-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/832-96-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/832-90-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/832-89-0x0000000008860000-0x0000000009358000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/832-95-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/832-88-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/832-85-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1240-56-0x0000000000250000-0x0000000000256000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1240-57-0x00000000753E1000-0x00000000753E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1240-70-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1240-58-0x00000000776B0000-0x0000000077830000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1532-83-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-75-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1532-74-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download