Analysis

  • max time kernel
    126s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 09:49

General

  • Target

    e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe

  • Size

    826KB

  • MD5

    d21fa0f5b9240caa4352b2b7e1b79ad0

  • SHA1

    774b0294155b0aecb34f72353436b25cdf3e7912

  • SHA256

    e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

  • SHA512

    0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:
    smtp
  • Host:
    mail.faraveili.com
  • Port:
    25
  • Username:
    martins@faraveili.com
  • Password:
    lord22
Mutex

a57e5243-4d3f-45c0-b0f1-2785a9260e2b

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:lord22 _EmailPort:25 _EmailSSL:false _EmailServer:mail.faraveili.com _EmailUsername:martins@faraveili.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:a57e5243-4d3f-45c0-b0f1-2785a9260e2b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • M00nD3v Logger Payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe
    "C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
      2⤵
        PID:4500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of UnmapMainImage
            PID:2784
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 12
              5⤵
              • Program crash
              PID:916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2784 -ip 2784
      1⤵
        PID:716

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
        Filesize

        826KB

        MD5

        d21fa0f5b9240caa4352b2b7e1b79ad0

        SHA1

        774b0294155b0aecb34f72353436b25cdf3e7912

        SHA256

        e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

        SHA512

        0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
        Filesize

        826KB

        MD5

        d21fa0f5b9240caa4352b2b7e1b79ad0

        SHA1

        774b0294155b0aecb34f72353436b25cdf3e7912

        SHA256

        e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

        SHA512

        0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
        Filesize

        826KB

        MD5

        d21fa0f5b9240caa4352b2b7e1b79ad0

        SHA1

        774b0294155b0aecb34f72353436b25cdf3e7912

        SHA256

        e2f313e9d52f0f158074a26eb8a8d4fdc0bed26d2df476b5dc621dde665fbd31

        SHA512

        0a59fedb5a94b1cf8874f3ab9e58225b352b259868f07679b53972fe5912bb50483a06dac18e9e868f7079e2c12a820648ebd995c7f7d6595847907260d90fee

      • memory/2784-139-0x0000000000000000-mapping.dmp
      • memory/2784-140-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

      • memory/4384-135-0x0000000000000000-mapping.dmp
      • memory/4384-138-0x0000000006140000-0x00000000061DC000-memory.dmp
        Filesize

        624KB

      • memory/4500-133-0x0000000000000000-mapping.dmp
      • memory/4812-130-0x0000000000B80000-0x0000000000C54000-memory.dmp
        Filesize

        848KB

      • memory/4812-131-0x0000000005F00000-0x00000000064A4000-memory.dmp
        Filesize

        5.6MB

      • memory/4812-132-0x0000000005A80000-0x0000000005B12000-memory.dmp
        Filesize

        584KB

      • memory/5064-134-0x0000000000000000-mapping.dmp