Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01/07/2022, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
Resource
win10v2004-20220414-en
General
-
Target
993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe
-
Size
804KB
-
MD5
01f4bb3ef1c9a71debeb6e3cf96a95a7
-
SHA1
b7a2e81eded3ef70284ae35a68cbb89b0326e2d2
-
SHA256
993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0
-
SHA512
c1c6246e6b6bce4212be4be30236dd7a0fa231e1184dd3a7a7fee3c6e8bed99ed49f6b2e2b361e7149a580e63b0620ec40dc171a6f46dc1c602943e8dbb95274
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
webmail.noahtrader.com - Port:
587 - Username:
[email protected] - Password:
igboigbo@2019
41e558b2-4ec6-488f-9f67-6d0b27598856
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:igboigbo@2019 _EmailPort:587 _EmailSSL:false _EmailServer:webmail.noahtrader.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:41e558b2-4ec6-488f-9f67-6d0b27598856 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4988-133-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4820-145-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4820-147-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4820-148-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4820-149-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3676-138-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3676-140-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3676-141-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3676-142-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/3676-138-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3676-140-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3676-141-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3676-142-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4820-145-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4820-147-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4820-148-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4820-149-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4928 set thread context of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4988 set thread context of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 set thread context of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 3676 vbc.exe 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4928 wrote to memory of 4988 4928 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 90 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 3676 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 91 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92 PID 4988 wrote to memory of 4820 4988 993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"C:\Users\Admin\AppData\Local\Temp\993d7cf6e1a5148ec58fee9be9c71510908703382089a258d34cb69221211ba0.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3676
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBBDF.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:4820
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e64c42bc217d551e4168a94182323359
SHA176937b2d460a61e91393dc198b277c4171b11fd8
SHA2569bf4040d8495d226d2fa94cc117181a753d36197a944e73c9f02186bc3d93454
SHA512c1ff859dcd080e7c77a594c81b9e3068ac899db2b7ccb2c3672e988f5a616b292bc7feaabcd4d4966c41fa28584a5458be60cd7edc661d2d4f9de0520b5f52c9