Analysis

  • max time kernel
    90s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 09:02

General

  • Target

    4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe

  • Size

    1014KB

  • MD5

    23e473332d88b997592273f52100dd71

  • SHA1

    632af0c3d2d79ce41172195bfe99c1e2aedbc1db

  • SHA256

    4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec

  • SHA512

    c6538d6a169d37b685e2ccb9f1deee365946735947b16576fb915b5988b1956da32298e641c8cf2c367813786c5e29730c83397ab0bcee9e7ba82a230e45eb5c

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
    "C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
      "C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe.log

    Filesize

    1KB

    MD5

    400f1cc1a0a0ce1cdabda365ab3368ce

    SHA1

    1ecf683f14271d84f3b6063493dce00ff5f42075

    SHA256

    c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

    SHA512

    14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

  • memory/60-140-0x0000000000600000-0x0000000000690000-memory.dmp

    Filesize

    576KB

  • memory/60-141-0x0000000004CD0000-0x0000000004D36000-memory.dmp

    Filesize

    408KB

  • memory/4308-133-0x0000000000560000-0x0000000000664000-memory.dmp

    Filesize

    1.0MB

  • memory/4308-134-0x00000000054F0000-0x0000000005A94000-memory.dmp

    Filesize

    5.6MB

  • memory/4308-135-0x0000000005020000-0x00000000050B2000-memory.dmp

    Filesize

    584KB

  • memory/4308-136-0x0000000005250000-0x000000000525A000-memory.dmp

    Filesize

    40KB

  • memory/4308-137-0x0000000009200000-0x000000000929C000-memory.dmp

    Filesize

    624KB