Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 09:28
General
-
Target
ktrazuaohhbo7kc.msi
-
Size
1.0MB
-
MD5
516b891e8e0dd965e27d87552070deaf
-
SHA1
45d53c2fe685c953cf1a18e4fb9b96ab0d480682
-
SHA256
74f05574ba23c3e43d28a4d1adec713cfada1bdd01648bcbd16418a87ad91a37
-
SHA512
4a7f16a5032acc6df9e241b53c1c43798dff0b04f1e5eb8d4fb78d57ccf6916d108c903b0e9634555c1dc6cec8b947d64b27d98c28b225ae81847474037418a9
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.patrogabon.com - Port:
587 - Username:
[email protected] - Password:
PyAF1VMa~s5;
fde0218e-5e9c-462f-b529-a61f688a2e66
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:PyAF1VMa~s5; _EmailPort:587 _EmailSSL:true _EmailServer:mail.patrogabon.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:fde0218e-5e9c-462f-b529-a61f688a2e66 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Nirsoft 8 IoCs
-
Executes dropped EXE 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 56 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ktrazuaohhbo7kc.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI8454.tmp"C:\Windows\Installer\MSI8454.tmp"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JvwXYWCv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp537A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp84CC.tmp"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57969052493c6d31b40ddc2fb76f0807f
SHA1577772f56c1a2a1f2baf418ae9e206864c4df806
SHA2563f2011402ac1f72ce6a01afa3ed22ca8f69ce4337616ec122a747327330f1807
SHA5121289d25fccce9e8a77b6e685ae8858deff87d2e3dd72e8e7d1b8c5b20b3be4784deecca97faf3543d8ff0c5473383ff9034d2ed222f216f7e8a9f3a0272a8256
-
Filesize
4KB
MD5bdf65f70610625cc771c5cc7ce168c7d
SHA1a8829b1c071ed0521d11925a98468c12a53a03b8
SHA256b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5
SHA512add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4
-
Filesize
1.0MB
MD5d29982e380361445494782bd1c9b5006
SHA19f101141ad54dbad246636fd240d4b70e2d443d9
SHA2561dd929b928371a47a5bee9ae2fbf9997675d91b9e376472ab313e4d685cce42c
SHA512d90395c79ab5a88e3d2131750b4890e549d76ff97fec06dd4fb6c5e030fee5d56d474ea7d99b507064ae77eb19253f0668502e8d92201a51384f873f34d20831
-
Filesize
1.0MB
MD5d29982e380361445494782bd1c9b5006
SHA19f101141ad54dbad246636fd240d4b70e2d443d9
SHA2561dd929b928371a47a5bee9ae2fbf9997675d91b9e376472ab313e4d685cce42c
SHA512d90395c79ab5a88e3d2131750b4890e549d76ff97fec06dd4fb6c5e030fee5d56d474ea7d99b507064ae77eb19253f0668502e8d92201a51384f873f34d20831
-
Filesize
23.0MB
MD5ad0308b4c8bbd9a6caf5a549bed1d136
SHA13713e45cdc85efafc9001917cada374c92ea633f
SHA25664abb21d5a33e20d6b1127c631c564f67db50761f13b2d96f9525620210f1f2f
SHA512cbfdba90538e34d211548a1d2eb2de5ed0226cf0e6bccc1838f1b77fbe89d57ea9306d3005174eba917d416ae5e8da88c3077e90573fae4c05e21ca2de81b713
-
Filesize
5KB
MD5543fe72fc1c127cf9def02136876f544
SHA1279b87501788f081d9a5e84a25175a07681f8735
SHA25652edb6c411a94080c705750f8f6e1561946542cfee83d0ce75c5557969df2ccd
SHA5123e4c82beb43539167e3615032a7111b756d3cf02e0160d099f77c60cd2a20313e5afc76541663d793959207fc53c41f9b587627d8efc8040a1e6ee35f3ae9dbc
-
Filesize
364KB
-
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
408KB
-
Filesize
344KB
-
Filesize
584KB
-
Filesize
1.0MB
-
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
112KB
-
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
112KB
-
-
Filesize
576KB
-
-