Overview

overview

10

Static

static

5

39f9b4647b...cf.msi

windows7_x64

10

39f9b4647b...cf.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi

  • Size

    2.3MB

  • MD5

    c5d5542f35dff3d7f92dbc4c6a0ec56c

  • SHA1

    6c37078b59c85448605ee96888ac00cb0b5f0654

  • SHA256

    39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf

  • SHA512

    110ddbdb35e2319f2d1939b40e0e950f129d46b51b985c56edb8e23c8e5ee29f76a03ea6ab5001f6a697aa94769856d74145f3b8f6122ea9f09d68db45120efa

Score
10/10
hawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Mutex

ca8b7835-2ac0-4a33-a17c-532dfc1a88cf

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:3 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:ca8b7835-2ac0-4a33-a17c-532dfc1a88cf _PanelSecret:c9c9179f-8536-c2ed-1aa7-87bff231f0ce _PanelURL:http://patrogabon.com/jayjayman2 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\39f9b4647bb119e34deeff137af960448be14dd80f0443270739c02d450b8ecf.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4336
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4188
    • C:\Windows\Installer\MSI37BA.tmp
      "C:\Windows\Installer\MSI37BA.tmp"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6D8F.tmp"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4264
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp71A7.tmp"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1984
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6D8F.tmp
    Filesize

    4KB

    MD5

    bdf65f70610625cc771c5cc7ce168c7d

    SHA1

    a8829b1c071ed0521d11925a98468c12a53a03b8

    SHA256

    b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5

    SHA512

    add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4

    Download Submit
  • C:\Windows\Installer\MSI37BA.tmp
    Filesize

    2.3MB

    MD5

    6ed84ffdf8184258763731cd34f6d4d3

    SHA1

    015bae0bc0ab2bf4730fa81c6a2b0d5d28a607db

    SHA256

    9cebc436acc05d484b4b50067704e089aab8353c17faefbed887aecf92caf472

    SHA512

    7f44c3f945f5790275ebaf37131788d05791029155b1c044ae68737b6357a090e7c6a28fc77b9c2d608c699e399e90be02b0ea1ec64541ad774b90a4ab7a7b61

    Download Submit
  • C:\Windows\Installer\MSI37BA.tmp
    Filesize

    2.3MB

    MD5

    6ed84ffdf8184258763731cd34f6d4d3

    SHA1

    015bae0bc0ab2bf4730fa81c6a2b0d5d28a607db

    SHA256

    9cebc436acc05d484b4b50067704e089aab8353c17faefbed887aecf92caf472

    SHA512

    7f44c3f945f5790275ebaf37131788d05791029155b1c044ae68737b6357a090e7c6a28fc77b9c2d608c699e399e90be02b0ea1ec64541ad774b90a4ab7a7b61

    Download Submit
  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    f3a45a6d591e72278d3e8c16e12fbdee

    SHA1

    e4545992c1172d761088732e53bdf3fdd4ca4374

    SHA256

    737215efb261ba203a8c86f43469b47c87f165ca15008c4e301246984df5dbd8

    SHA512

    8af9036bc22679b1edb6ed3701461536a8aaf91d2702993ba59005d99d39be648c28c2d1b0329e4fa693e161e64cfbc1c71fc287ac86bd334e9d6e51474241ca

    Download Submit
  • \??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eede0e3d-63e9-499d-8c6f-e16fad8fe4c7}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    ebcb5dbc8449905bd2e818cbaf6d7528

    SHA1

    50d2bc04cd73fa95132293c2bd27212ed44d50f3

    SHA256

    75a5028e474c8d7c904b9296f59e968f09eb74695d95ed53197d1eaf1cc5a2ff

    SHA512

    408c2e35817bac83d8cfbf9f36d90588f923c4e07e1d13d4abe96cf72cd3d9611bfc9c3e57eb3f4b38af4671fa5096ca4877a3fa7ed5b428c13410769bf77789

    Download Submit
  • memory/864-131-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-135-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1788-143-0x0000000073680000-0x0000000073C31000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1788-140-0x0000000073680000-0x0000000073C31000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1788-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-156-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1984-155-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1984-154-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1984-152-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4188-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4264-144-0x0000000000000000-mapping.dmp
    Download
  • memory/4264-149-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/4264-148-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/4264-147-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/4264-145-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download