Analysis
-
max time kernel
40s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe
Resource
win10v2004-20220414-en
General
-
Target
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe
-
Size
594KB
-
MD5
48140b427e5241a5a806bbb0b925b7d2
-
SHA1
772d2f450c44f05ac4132d7c9cb8b72e5e54332c
-
SHA256
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593
-
SHA512
ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/1700-67-0x0000000004E30000-0x0000000004EC0000-memory.dmp m00nd3v_logger behavioral1/memory/1812-72-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1812-73-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1812-71-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1812-74-0x000000000048B1CE-mapping.dmp m00nd3v_logger behavioral1/memory/1812-76-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1812-78-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
Processes:
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEnFW.url ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exedescription pid process target process PID 1700 set thread context of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exepid process 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exedescription pid process Token: SeDebugPrivilege 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.execsc.exedescription pid process target process PID 1700 wrote to memory of 1768 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe csc.exe PID 1700 wrote to memory of 1768 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe csc.exe PID 1700 wrote to memory of 1768 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe csc.exe PID 1700 wrote to memory of 1768 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe csc.exe PID 1768 wrote to memory of 1808 1768 csc.exe cvtres.exe PID 1768 wrote to memory of 1808 1768 csc.exe cvtres.exe PID 1768 wrote to memory of 1808 1768 csc.exe cvtres.exe PID 1768 wrote to memory of 1808 1768 csc.exe cvtres.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe PID 1700 wrote to memory of 1812 1700 ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe"C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A79.tmp" "c:\Users\Admin\AppData\Local\Temp\2oqbfva0\CSCE3B4BC1E27704E209B6CD11A1C7F42CC.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.dllFilesize
15KB
MD5c0a6ce39eebccf2bbb39acbfe21c4cad
SHA16fc251f0c664241032cc90dab182381323a5e9b2
SHA256023069da6bf5c89e8c6b5976e6243008f6d8e86828f5086fc9ca00d8409b46c8
SHA5124d0fc04619cbd7769af4eb521f337a27c9151e3571e93d214ea760fedaef0669de19e975ae5b24215646cc7e7d51284f0f405dc8e6fe93635fb0aeadf49a43d6
-
C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.pdbFilesize
51KB
MD5120800b569b1cdb132a248dbff74128d
SHA130c5d93cfa4ce9ad067d6483f2effe26a2a05824
SHA256a7a267641dbac7733593d1c242039efcbcf8411830b5a0201f8bcc9d7bc191c8
SHA51299a48668f147bd8de6135fffabddb8188fe94ec76766e953192e03746e8493d93fa3b8cab8f03cf7dd7849c854a08c44dcc6c7dfcd29022f4d44884f8624ce4e
-
C:\Users\Admin\AppData\Local\Temp\RES4A79.tmpFilesize
1KB
MD5d0e54f9e4ca6e5cde69e39cae738556d
SHA15a0de0d82a77aa6d45af314397f4214fc36e0fe6
SHA2568211e83eeffd07583480df8090ad130e666dcca135c561babe5fcdfa6fd18244
SHA512eda927213d3130154f9c6948765f0563277012448369a901176ec3568f49b1c533d5531cf5c16ed0743a93d797016dd697a3b48f3ecfcef67cd77bc5be398802
-
\??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.0.csFilesize
29KB
MD5b1b4726fefa6a60ae6c9372b54778396
SHA1a2ba26bcd86e61188abe1856a9260c103181b62c
SHA256bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5
SHA512335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c
-
\??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.cmdlineFilesize
312B
MD54eca984360df39f11c33eff375ebe2b8
SHA1df99584662757b014bad29fa2a397bc45f66dd7d
SHA256bbd90668ec8d36f3c063c365e7c71ec6e48d6ce559a80cbd164cb5e7b436045a
SHA512a1fc25a441fa401ad48e75158d99370cfd03cb6aacc012db784bbe4d88a497bac58a671311f5b61bb77853a2c675212450cf2fad5da355fc251b7de368ba2f80
-
\??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\CSCE3B4BC1E27704E209B6CD11A1C7F42CC.TMPFilesize
1KB
MD524851a1e81c0b58225a2dbebcc7c0f38
SHA154c709fd452b077b1431aeaa529ba55afa24f11f
SHA25658e088b7938abf2579013b57506b355b50eacf24ebdc8408173672fcb604131b
SHA512919290dc0aed1c4024d3a54143ae65c9ab818ca97d56a84473ef52c440e507389b861ac8dceca129b4a8bdfbc605f61081bd0f3485c7bac0f019d2287919f3f2
-
memory/1700-66-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1700-63-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1700-64-0x0000000004D00000-0x0000000004D9A000-memory.dmpFilesize
616KB
-
memory/1700-65-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/1700-54-0x0000000000130000-0x00000000001CA000-memory.dmpFilesize
616KB
-
memory/1700-67-0x0000000004E30000-0x0000000004EC0000-memory.dmpFilesize
576KB
-
memory/1768-55-0x0000000000000000-mapping.dmp
-
memory/1808-58-0x0000000000000000-mapping.dmp
-
memory/1812-69-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-68-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-72-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-73-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-71-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-74-0x000000000048B1CE-mapping.dmp
-
memory/1812-76-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-78-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1812-80-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1812-81-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1812-82-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB