Analysis
-
max time kernel
162s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 00:31
Static task
static1
Behavioral task
behavioral1
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win10v2004-20220414-en
General
-
Target
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
-
Size
670KB
-
MD5
181e0ed8c8f09db4749f83ca87bf3e2d
-
SHA1
0c29a28d18b975c3ead2a72205ddf5b2d8d10700
-
SHA256
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
-
SHA512
f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/2136-136-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Executes dropped EXE 1 IoCs
pid Process 2136 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File opened for modification C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3468 set thread context of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File created C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File opened for modification C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 81 PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 81 PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 81 PID 4144 wrote to memory of 1648 4144 cmd.exe 83 PID 4144 wrote to memory of 1648 4144 cmd.exe 83 PID 4144 wrote to memory of 1648 4144 cmd.exe 83 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85 PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe.lnk" /f3⤵PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:2136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
670KB
MD5181e0ed8c8f09db4749f83ca87bf3e2d
SHA10c29a28d18b975c3ead2a72205ddf5b2d8d10700
SHA2564936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
SHA512f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87