Analysis
-
max time kernel
28s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PAYMENT-PDF.exe
Resource
win10v2004-20220715-en
General
-
Target
PAYMENT-PDF.exe
-
Size
518KB
-
MD5
d8b7335d7669b24ddb9b239953f0d7a7
-
SHA1
f119bea19f892adc161a0ebb15ffbcc8150cc3c5
-
SHA256
39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
-
SHA512
96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/1628-67-0x00000000050C0000-0x0000000005150000-memory.dmp m00nd3v_logger behavioral1/memory/1008-71-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1008-73-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1008-72-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1008-74-0x000000000048B1CE-mapping.dmp m00nd3v_logger behavioral1/memory/1008-78-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1008-76-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1628 set thread context of 1008 1628 PAYMENT-PDF.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1628 PAYMENT-PDF.exe 1628 PAYMENT-PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 PAYMENT-PDF.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1248 1628 PAYMENT-PDF.exe 28 PID 1628 wrote to memory of 1248 1628 PAYMENT-PDF.exe 28 PID 1628 wrote to memory of 1248 1628 PAYMENT-PDF.exe 28 PID 1628 wrote to memory of 1248 1628 PAYMENT-PDF.exe 28 PID 1248 wrote to memory of 1004 1248 csc.exe 30 PID 1248 wrote to memory of 1004 1248 csc.exe 30 PID 1248 wrote to memory of 1004 1248 csc.exe 30 PID 1248 wrote to memory of 1004 1248 csc.exe 30 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31 PID 1628 wrote to memory of 1008 1628 PAYMENT-PDF.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m41m4gli\m41m4gli.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F9.tmp" "c:\Users\Admin\AppData\Local\Temp\m41m4gli\CSCA876AFE34D9649F5A6C13D5AA0647022.TMP"3⤵PID:1004
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1008
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ab67cbc69ccaaac0dab14ded9d0981f2
SHA177141a2a644648d72fc030b0f0e506c40e98bfee
SHA256ff46e34979fc62a0337cdcdb8f1b708e5a720c0ca92d97ebddb3f8ec32fecd2a
SHA512e83ec202ec803f63e07543bc00a0b83a52d6297330a5fae9952ed07f664ca2f34b1d34e847a61cd99be4079467f23a85a9eee968e054498b1c3fd3f1d5a5e7c2
-
Filesize
6KB
MD51f72617dbe538e85666706123ee61525
SHA1309e21eef6817a1d8ab118d833b8742d25a998d7
SHA2565265009a2f571188fd8b9767846a644e5b05b9374de9784a2be4a2ea78a98837
SHA5122e996699110ef1eb383200d025d009fc73e24fc355ebe5e48b5927f0bc74a4eca958e2681de5b9a4cf00160bffe96cfc4550f61c1cf2dff8ed86ece9e2c68905
-
Filesize
17KB
MD57e3f0fbacdcff8c12e5e3fd0eb6a45dd
SHA1ea278a215b471664d6b3d6e0664827c01c1ace5b
SHA256784b08a568c95520d79242501b705627106c5797b025e5bc45a88f2e276f543d
SHA51221631535041f81eea51440becd64402e04886f9447f5615a4e537cf3d8b668cd9154a67e795c628668e6aefbea8f2f1b8d36ae2eca97a1c73819b222bd5c14f5
-
Filesize
1KB
MD5c76ed21683e9f7b8813dca525aa296d0
SHA1b5885f7ca63fac60e9d88b75484c555bdd82c92b
SHA25669d5994aad16777b27c294c476914f8eb6309300d47da9aeba05603f24dee96b
SHA5128ce26b1da43c5671190ecb78c83f278ea417266e3d2133de2771d549e9b00e27931d1b073ab78bbef2c80ecba7bc29a544da7ada8b854f69be3a50cc135856a2
-
Filesize
3KB
MD5b6823d54afabf958afeefb18571df6e2
SHA19565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4
SHA256215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10
SHA5129b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318
-
Filesize
312B
MD5c35ee1f5969ecc6347619082d1bebf17
SHA12f7967539bc0ec20fe8ba68009f0e9053bfb3aef
SHA25698b5f485da5239e8ac0428dd0a55875b22cf9ef22b77ad379bb534fad2efc0a7
SHA512611c826818bcd7261bd43acb6777419faac47fbb02c8230a6111f7a1591e7553c9cb88c2ff888efff521165f58e19f226e7653eeeee00b427720d1d30b16c626