Analysis
-
max time kernel
162s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 00:31
Static task
static1
Behavioral task
behavioral1
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Resource
win10v2004-20220414-en
General
-
Target
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
-
Size
670KB
-
MD5
181e0ed8c8f09db4749f83ca87bf3e2d
-
SHA1
0c29a28d18b975c3ead2a72205ddf5b2d8d10700
-
SHA256
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
-
SHA512
f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/2136-136-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2136 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File opened for modification C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exedescription pid process target process PID 3468 set thread context of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exedescription ioc process File opened for modification C:\Windows\assembly 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File created C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe File opened for modification C:\Windows\assembly\Desktop.ini 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exepid process 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exedescription pid process Token: SeDebugPrivilege 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.execmd.exedescription pid process target process PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe cmd.exe PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe cmd.exe PID 3468 wrote to memory of 4144 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe cmd.exe PID 4144 wrote to memory of 1648 4144 cmd.exe reg.exe PID 4144 wrote to memory of 1648 4144 cmd.exe reg.exe PID 4144 wrote to memory of 1648 4144 cmd.exe reg.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe PID 3468 wrote to memory of 2136 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\New.exeFilesize
670KB
MD5181e0ed8c8f09db4749f83ca87bf3e2d
SHA10c29a28d18b975c3ead2a72205ddf5b2d8d10700
SHA2564936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
SHA512f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
memory/1648-133-0x0000000000000000-mapping.dmp
-
memory/2136-136-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2136-135-0x0000000000000000-mapping.dmp
-
memory/2136-139-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/2136-141-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/2136-142-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/3468-130-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/3468-131-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/3468-140-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/4144-132-0x0000000000000000-mapping.dmp