Overview

overview

10

Static

static

4936723d99...20.exe

windows7_x64

10

4936723d99...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    37s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-07-2022 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

  • Size

    670KB

  • MD5

    181e0ed8c8f09db4749f83ca87bf3e2d

  • SHA1

    0c29a28d18b975c3ead2a72205ddf5b2d8d10700

  • SHA256

    4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720

  • SHA512

    f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 6 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
    "C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe.lnk" /f
        3⤵
          PID:1448
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        PID:1724

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe
      Filesize

      670KB

      MD5

      181e0ed8c8f09db4749f83ca87bf3e2d

      SHA1

      0c29a28d18b975c3ead2a72205ddf5b2d8d10700

      SHA256

      4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720

      SHA512

      f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      85KB

      MD5

      2e5f1cf69f92392f8829fc9c9263ae9b

      SHA1

      97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

      SHA256

      51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

      SHA512

      f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      85KB

      MD5

      2e5f1cf69f92392f8829fc9c9263ae9b

      SHA1

      97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

      SHA256

      51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

      SHA512

      f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

      Download Submit
    • \Users\Admin\AppData\Local\Temp\FolderN\New.exe
      Filesize

      670KB

      MD5

      181e0ed8c8f09db4749f83ca87bf3e2d

      SHA1

      0c29a28d18b975c3ead2a72205ddf5b2d8d10700

      SHA256

      4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720

      SHA512

      f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      85KB

      MD5

      2e5f1cf69f92392f8829fc9c9263ae9b

      SHA1

      97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

      SHA256

      51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

      SHA512

      f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

      Download Submit
    • memory/1356-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1448-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1724-65-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-70-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-64-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-79-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1724-66-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-67-0x000000000048B1CE-mapping.dmp
      Download
    • memory/1724-61-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-62-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-72-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1724-78-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1724-75-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2016-76-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2016-77-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2016-55-0x0000000074E10000-0x00000000753BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2016-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp
      Filesize

      8KB

      Download