Overview

overview

10

Static

static

1

3d308772c1...92.exe

windows7_x64

10

3d308772c1...92.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-07-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe

  • Size

    813KB

  • MD5

    be04d13e880984969b6d7eb4faf58a50

  • SHA1

    815223967c0f594e4834dd58abf4ec87a57c53ec

  • SHA256

    3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92

  • SHA512

    bb19f6a902d68fbcae1a21394b10b9cc159fe6c87874b7fe8f8577197f86fd14a2f8f6a6938870e65063b199a320f7648bb3fd6f3cd9e8812c0c63be11b0e8c4

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 9 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe
    "C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe
      "C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe
        "C:\Users\Admin\AppData\Local\Temp\3d308772c193701b7f16aa6386469d4cd3aa61368818095e19cd88e3f16abe92.exe"
        3⤵
        • Sets file execution options in registry
        PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\lysis.dll
    Filesize

    78KB

    MD5

    ac90321d9947dd1e4fd41e1a5e5c9f7d

    SHA1

    d21e1af8e984633c543e6ba3158316765872497b

    SHA256

    698ed66ab1863eb859cf79a9077468a1f0f1df46ccbdd7d006eb41ca7a9d3880

    SHA512

    68cba99ae7740a35a87d7bca3d03155de932cee8cb3144e12c6a028f87cc01ee7d9ce746c6739260cde3b396a2cc3adc7384e822efa8c8777bc6c9ebc0dbb640

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsz4202.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsz4202.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsz4202.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • memory/956-86-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-88-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-95-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/956-94-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-93-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/956-92-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/956-91-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-89-0x0000000000402000-0x000000000048B200-memory.dmp

    Filesize

    548KB

    Download

  • memory/956-90-0x0000000000402000-0x000000000048B200-memory.dmp

    Filesize

    548KB

    Download

  • memory/956-72-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-74-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-76-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-78-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-79-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-80-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-82-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/956-87-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1368-60-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-71-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-68-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-66-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-64-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-63-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1368-61-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1464-54-0x0000000076721000-0x0000000076723000-memory.dmp

    Filesize

    8KB

    Download