Analysis
-
max time kernel
90s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
Resource
win10v2004-20220414-en
General
-
Target
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe
-
Size
1014KB
-
MD5
23e473332d88b997592273f52100dd71
-
SHA1
632af0c3d2d79ce41172195bfe99c1e2aedbc1db
-
SHA256
4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec
-
SHA512
c6538d6a169d37b685e2ccb9f1deee365946735947b16576fb915b5988b1956da32298e641c8cf2c367813786c5e29730c83397ab0bcee9e7ba82a230e45eb5c
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/60-140-0x0000000000600000-0x0000000000690000-memory.dmp m00nd3v_logger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4308 set thread context of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe Token: SeDebugPrivilege 60 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83 PID 4308 wrote to memory of 60 4308 4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"C:\Users\Admin\AppData\Local\Temp\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4bb5700ff072f1d563a456b878481ba523cc45cd9517539dc2b640174727c9ec.exe.log
Filesize1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45