Analysis Overview
SHA256
55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816
Threat Level: Known bad
The file 55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816 was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
NirSoft WebBrowserPassView
NirSoft MailPassView
Nirsoft
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 03:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 03:19
Reported
2022-07-01 03:50
Platform
win7-20220414-en
Max time kernel
150s
Max time network
52s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1932 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe |
| PID 1092 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1092 set thread context of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe
"C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe"
C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe
"C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1808
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp694F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpADC.tmp"
Network
Files
memory/1932-54-0x0000000000040000-0x000000000010A000-memory.dmp
memory/1932-55-0x0000000006EA0000-0x0000000006F4C000-memory.dmp
memory/1932-56-0x00000000002E0000-0x0000000000300000-memory.dmp
memory/1932-57-0x0000000000320000-0x000000000032C000-memory.dmp
memory/1092-58-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-59-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-61-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-63-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-64-0x000000000048B20E-mapping.dmp
memory/1092-62-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-66-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1092-68-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1976-69-0x0000000000000000-mapping.dmp
memory/1092-70-0x0000000002330000-0x00000000023A6000-memory.dmp
memory/1092-71-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/1632-72-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-73-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-75-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-77-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-79-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-81-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-82-0x000000000044472E-mapping.dmp
memory/1632-85-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-86-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1632-87-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp694F.tmp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/956-92-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-95-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-94-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-97-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-90-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-98-0x000000000041211A-mapping.dmp
memory/956-89-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-101-0x0000000000400000-0x000000000041C000-memory.dmp
memory/956-102-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 03:19
Reported
2022-07-01 03:50
Platform
win10v2004-20220414-en
Max time kernel
90s
Max time network
156s
Command Line
Signatures
HawkEye Reborn
M00nd3v_Logger
M00nD3v Logger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4532 set thread context of 1468 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe |
| PID 1468 set thread context of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1468 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe
"C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe"
C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe
"C:\Users\Admin\AppData\Local\Temp\55113b3a648e1d2aa3fbafa7ef783a0c54b3402f9574728623ca838d365bc816.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1048
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp38A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7B2.tmp"
Network
| Country | Destination | Domain | Proto |
| FR | 2.18.109.224:443 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | ftp.datacity.ro | udp |
Files
memory/4532-130-0x0000000000BC0000-0x0000000000C8A000-memory.dmp
memory/4532-131-0x00000000081E0000-0x0000000008784000-memory.dmp
memory/4532-132-0x0000000007CD0000-0x0000000007D62000-memory.dmp
memory/4532-133-0x0000000008C30000-0x0000000008CCC000-memory.dmp
memory/1468-134-0x0000000000000000-mapping.dmp
memory/1468-135-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1468-136-0x00000000059A0000-0x0000000005A06000-memory.dmp
memory/64-137-0x0000000000000000-mapping.dmp
memory/64-138-0x0000000000400000-0x000000000045B000-memory.dmp
memory/64-140-0x0000000000400000-0x000000000045B000-memory.dmp
memory/64-141-0x0000000000400000-0x000000000045B000-memory.dmp
memory/64-142-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp38A.tmp
| MD5 | bdf65f70610625cc771c5cc7ce168c7d |
| SHA1 | a8829b1c071ed0521d11925a98468c12a53a03b8 |
| SHA256 | b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5 |
| SHA512 | add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4 |
memory/2800-144-0x0000000000000000-mapping.dmp
memory/2800-145-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2800-147-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2800-148-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1468-149-0x0000000006660000-0x000000000666A000-memory.dmp