Analysis
-
max time kernel
37s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 00:31
Static task
static1
Behavioral task
behavioral1
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win10v2004-20220414-en
General
-
Target
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
-
Size
670KB
-
MD5
181e0ed8c8f09db4749f83ca87bf3e2d
-
SHA1
0c29a28d18b975c3ead2a72205ddf5b2d8d10700
-
SHA256
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
-
SHA512
f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/1724-64-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1724-65-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1724-66-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1724-67-0x000000000048B1CE-mapping.dmp m00nd3v_logger behavioral1/memory/1724-70-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1724-72-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Executes dropped EXE 1 IoCs
pid Process 1724 svhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2016 set thread context of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1356 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 28 PID 2016 wrote to memory of 1356 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 28 PID 2016 wrote to memory of 1356 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 28 PID 2016 wrote to memory of 1356 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 28 PID 1356 wrote to memory of 1448 1356 cmd.exe 30 PID 1356 wrote to memory of 1448 1356 cmd.exe 30 PID 1356 wrote to memory of 1448 1356 cmd.exe 30 PID 1356 wrote to memory of 1448 1356 cmd.exe 30 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31 PID 2016 wrote to memory of 1724 2016 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe.lnk" /f3⤵PID:1448
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:1724
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
670KB
MD5181e0ed8c8f09db4749f83ca87bf3e2d
SHA10c29a28d18b975c3ead2a72205ddf5b2d8d10700
SHA2564936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
SHA512f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
Filesize
670KB
MD5181e0ed8c8f09db4749f83ca87bf3e2d
SHA10c29a28d18b975c3ead2a72205ddf5b2d8d10700
SHA2564936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
SHA512f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883