Overview

overview

10

Static

static

scan002383...df.exe

windows7_x64

10

scan002383...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scan00238393903,pdf.exe

  • Size

    594KB

  • MD5

    48140b427e5241a5a806bbb0b925b7d2

  • SHA1

    772d2f450c44f05ac4132d7c9cb8b72e5e54332c

  • SHA256

    ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593

  • SHA512

    ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\scan00238393903,pdf.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp" "c:\Users\Admin\AppData\Local\Temp\gytzn4e5\CSCF417960B6DD24C46B245AF3927AB8.TMP"
        3⤵
          PID:3176
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:5012
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
            PID:2256
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
            2⤵
              PID:5096

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp
            Filesize

            1KB

            MD5

            827deb5eef5ba70b0b7bbfd9fb5216d7

            SHA1

            b9b902a7386c92970d1c50262524a91c16383f1b

            SHA256

            36d43a64794b0f2abb84e543d3b2d5e7238c24ed55eecfe4b2b19ea3f3071afa

            SHA512

            790dbc65e01be1e0966d5f220271e5d585779d5ca9900e13d7b5de32cdd3bac1fa07cdb5c02aad6955f24a72622e42d44f9f0aebbd6ef57370579fe8d74333b2

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.dll
            Filesize

            15KB

            MD5

            ca095fb7a861e6ec37c0920804cc03cb

            SHA1

            2144d54f6117947bec33714c4e30e729d67790f3

            SHA256

            c5df821a73833fb037fa726cd4852e97cb6306d07070ef750dfb2647a97a72b0

            SHA512

            f25cd46cc50b852f65054d6c9dc26f7f9d8ae87568512630c22cac1436746f273847953f967dda32fdf59db69d489e4f8efb4865e66cb572557c6dbaec503e34

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.pdb
            Filesize

            51KB

            MD5

            def68a8497f88d125c1f34d0f4e9e920

            SHA1

            d250f24c23c7d0da02a95eeb3ab14cdd31cabe6e

            SHA256

            60bb8a196b84fdeccc276791fb8123666b2e47057533aa635ee0a7a542f8f354

            SHA512

            78ad0cd43a18a9c19abff4b46b041b4010ffc08f4c65b54c46c9b9d4b8c349250dd630c3bf3e718cf22669a314b1797b4d49c9ac4fbcc5c8b4e4e1e41ca4a174

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\CSCF417960B6DD24C46B245AF3927AB8.TMP
            Filesize

            1KB

            MD5

            3cd2b2e45f4c335ab6cd1e3203848105

            SHA1

            274a4b94821a28139edf21eefb530d5c78c28374

            SHA256

            89cc926cb38b5f165394fb22f32a03a888bee04a04c86b4dc6082918c1bdb368

            SHA512

            a3ae22d9249d88fb12b5e7d7b93799197660cddfa5a6537bfaec71a9e363b4961d4165b0ed85a9c168a4bd1efd897af2263fb095ae73aeff853a1df900548dc1

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.0.cs
            Filesize

            29KB

            MD5

            b1b4726fefa6a60ae6c9372b54778396

            SHA1

            a2ba26bcd86e61188abe1856a9260c103181b62c

            SHA256

            bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

            SHA512

            335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\gytzn4e5\gytzn4e5.cmdline
            Filesize

            312B

            MD5

            83d26beff8ade4b54feeb6bf5668b9bc

            SHA1

            582a64525536cbbdb6589076f8ce5d5e54cdf4d3

            SHA256

            2295bc42c6cd6b3492926574f647effd6fe54ff3fa58bbbe4db631f9ffece9d0

            SHA512

            accbd758aad6cb4cc0beadb52e7494ba691027ed632246ced25ec767c012703bcb2ce622e5e0d668082683655a147b6989865f504cb8f9955e98a7e5577b1b27

            Download Submit
          • memory/1004-140-0x00000000059A0000-0x0000000005A3C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/1004-130-0x00000000007B0000-0x000000000084A000-memory.dmp
            Filesize

            616KB

            Download
          • memory/1004-139-0x00000000051B0000-0x0000000005242000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2156-131-0x0000000000000000-mapping.dmp
            Download
          • memory/2256-142-0x0000000000000000-mapping.dmp
            Download
          • memory/3176-134-0x0000000000000000-mapping.dmp
            Download
          • memory/5012-141-0x0000000000000000-mapping.dmp
            Download
          • memory/5096-144-0x0000000000400000-0x0000000000490000-memory.dmp
            Filesize

            576KB

            Download
          • memory/5096-143-0x0000000000000000-mapping.dmp
            Download
          • memory/5096-145-0x0000000074A60000-0x0000000075011000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/5096-146-0x0000000074A60000-0x0000000075011000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/5096-147-0x0000000074A60000-0x0000000075011000-memory.dmp
            Filesize

            5.7MB

            Download