Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1759f99b18...22.exe

windows7_x64

10

1759f99b18...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08/06/2022, 21:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

  • Size

    1.2MB

  • MD5

    11b31d746ace8a0aa682487826a66989

  • SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

  • SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

  • SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Score
10/10
hawkeye_rebornm00nd3v_loggernanocoreevasioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • M00nD3v Logger Payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
    "C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
      "C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe"
      2⤵
      • Executes dropped EXE
      PID:1972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs"
      2⤵
      • Adds Run key to start application
      PID:5104
    • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
      "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
        C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:4044
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:4376

Network

  • flag-us
    DNS
    bot.whatismyipaddress.com
    harry stub (1).exe
    Remote address:
    8.8.8.8:53
    Request
    bot.whatismyipaddress.com
    IN A
    Response
  • 51.104.15.253:443
    322 B
     7
  • 104.110.191.140:80
    322 B
     7
  • 104.110.191.133:80
    322 B
     7
  • 104.110.191.140:80
    322 B
     7
  • 103.200.5.107:2050
    taskhostmgr.scr
    208 B
     4
  • 103.200.5.107:2050
    taskhostmgr.scr
    208 B
     4
  • 103.200.5.107:2050
    taskhostmgr.scr
    208 B
     4
  • 8.8.8.8:53
    bot.whatismyipaddress.com
    dns
    harry stub (1).exe
    71 B
     130 B
     1
    1

    DNS Request

    bot.whatismyipaddress.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
    Filesize

    552KB

    MD5

    4f499ad76962f899126bbc1994865e61

    SHA1

    f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

    SHA256

    d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

    SHA512

    28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
    Filesize

    552KB

    MD5

    4f499ad76962f899126bbc1994865e61

    SHA1

    f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

    SHA256

    d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

    SHA512

    28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
    Filesize

    1.2MB

    MD5

    11b31d746ace8a0aa682487826a66989

    SHA1

    2fbdd90396474cb90ab2c2917a7c351864c30b2f

    SHA256

    1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

    SHA512

    d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs
    Filesize

    1024B

    MD5

    315c21d8d5a53bd1bb3aac14f2a45ef1

    SHA1

    b8d57d57a867055deda56e9c77ad1faf4aa96d9b

    SHA256

    ab70cc3058e7739d9a9f594b5debccabf3f6fbe62933c89f0cab7539757ce58c

    SHA512

    d94ce0cd65116cf7af2675ac6a6943d5aca6e9e7d91231d323a5fbed14d0fd349beeec84d651f12bd1a12c3778e4fc35fe95a8185d6bb22f25114812a30b70a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp
    Filesize

    1KB

    MD5

    86d958ad87d58d41c1ce56c412dd81b1

    SHA1

    a8dd3abe055b7ce28c3e3c8c6de9cbea08b832bf

    SHA256

    0aa4236b808d86158cb993b8b1e125704fd66c123eae467da415bfcd6d94f7a1

    SHA512

    857bd01e7888e1dbb01cce7b97be3227baf45d43ad6c554d58a867ace6f0c0bf984aaf46dd8b986bd0bcef4f3e29cba29e11ea0fc30cfe1904a849309d9ccd19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp
    Filesize

    1KB

    MD5

    21de6c3a6440d917bdbb4b491191d9b2

    SHA1

    c63c300affe7147910dc4544d2d5f3029bf321a6

    SHA256

    23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4

    SHA512

    dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

    Download Submit

  • memory/1708-149-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1972-146-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1972-150-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1972-145-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2840-155-0x0000000075390000-0x0000000075941000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2840-161-0x0000000075390000-0x0000000075941000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2840-151-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2840-153-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2840-154-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2840-160-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3920-140-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3920-132-0x0000000002300000-0x0000000002306000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3920-133-0x0000000077D20000-0x0000000077EC3000-memory.dmp

    Filesize

    1.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.