Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03/07/2022, 07:01 UTC

General

  • Target

    3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe

  • Size

    893KB

  • MD5

    45bcaf1873553f6047d714fcec3362f1

  • SHA1

    e898892a0af8a34d666543f5169dd34d6dbba6e9

  • SHA256

    3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

  • SHA512

    e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
    "C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /query
      2⤵
        PID:4200
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /sc MINUTE /tn pCwmWG /MO 1 /tr "C:\Users\Admin\AppData\Roaming\anyname\anyname.exe\
        2⤵
        • Creates scheduled task(s)
        PID:4832
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:208
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBD36.tmp"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:1512

    Network

    • flag-us
      DNS
      106.89.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.89.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      mail.tradecareuae.eu
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      mail.tradecareuae.eu
      IN A
      Response
    • 93.184.221.240:80
      322 B
      7
    • 20.42.72.131:443
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 8.8.8.8:53
      106.89.54.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      106.89.54.20.in-addr.arpa

    • 8.8.8.8:53
      mail.tradecareuae.eu
      dns
      RegAsm.exe
      66 B
      120 B
      1
      1

      DNS Request

      mail.tradecareuae.eu

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp

      Filesize

      4KB

      MD5

      e64c42bc217d551e4168a94182323359

      SHA1

      76937b2d460a61e91393dc198b277c4171b11fd8

      SHA256

      9bf4040d8495d226d2fa94cc117181a753d36197a944e73c9f02186bc3d93454

      SHA512

      c1ff859dcd080e7c77a594c81b9e3068ac899db2b7ccb2c3672e988f5a616b292bc7feaabcd4d4966c41fa28584a5458be60cd7edc661d2d4f9de0520b5f52c9

    • memory/208-143-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/208-142-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/208-139-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/208-141-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/1512-146-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1512-148-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1512-149-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/3256-130-0x0000000000780000-0x000000000084C000-memory.dmp

      Filesize

      816KB

    • memory/3256-133-0x0000000005360000-0x00000000053FC000-memory.dmp

      Filesize

      624KB

    • memory/4036-137-0x00000000750E0000-0x0000000075691000-memory.dmp

      Filesize

      5.7MB

    • memory/4036-136-0x00000000750E0000-0x0000000075691000-memory.dmp

      Filesize

      5.7MB

    • memory/4036-135-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.