Analysis
-
max time kernel
89s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PAYMENT-PDF.exe
Resource
win10v2004-20220715-en
General
-
Target
PAYMENT-PDF.exe
-
Size
518KB
-
MD5
d8b7335d7669b24ddb9b239953f0d7a7
-
SHA1
f119bea19f892adc161a0ebb15ffbcc8150cc3c5
-
SHA256
39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
-
SHA512
96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4016-142-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4020 set thread context of 4016 4020 PAYMENT-PDF.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4020 PAYMENT-PDF.exe 4020 PAYMENT-PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4020 PAYMENT-PDF.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4020 wrote to memory of 3828 4020 PAYMENT-PDF.exe 77 PID 4020 wrote to memory of 3828 4020 PAYMENT-PDF.exe 77 PID 4020 wrote to memory of 3828 4020 PAYMENT-PDF.exe 77 PID 3828 wrote to memory of 3116 3828 csc.exe 79 PID 3828 wrote to memory of 3116 3828 csc.exe 79 PID 3828 wrote to memory of 3116 3828 csc.exe 79 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80 PID 4020 wrote to memory of 4016 4020 PAYMENT-PDF.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pzmb0lyo\pzmb0lyo.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF3B.tmp" "c:\Users\Admin\AppData\Local\Temp\pzmb0lyo\CSC5EAF8375EFA540ACA3AD4B19BF5A9E6.TMP"3⤵PID:3116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:4016
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5246b000fc8323c33a104a613a5399d8a
SHA1ee85ecb400e0e8d46fc7da012db06b3b9eb2e85b
SHA256298178ed70685c427ba41888b533f78e9bd5a76a8b0eae0b9ec857fef1455618
SHA5127c4cabf278761fbac7e63120fa0daf9bca7a6d0fd93723ad5f2474fa898e57b3637a1f6e17988b38f9688f9b31fede31662bc260b3fc2614c3b26107aadb4b7c
-
Filesize
6KB
MD50921fb8960d576b3ce3c68daeba8fbb4
SHA1a0f6cb46c7a129fcdecfecd7402cbe4540d25ab4
SHA25632fd870661c2ea8cd42e064c0efa595845b448a6e26b18ffed43499107d2d341
SHA512e3b4b90aa0ae85a3c55604decb70ecee397e20ea2f8237df03ff898d3f74566587d804a5719c589dd0d8c0d06cea0e27f0496ebf22e3df4865137f817b437757
-
Filesize
17KB
MD57169c2f1e92927fa2a389cc12c631446
SHA1b9ac020fbb1567a480e225392a13cfabbfd866d7
SHA25650911478a82a430dc7adc8a1e214007bcfcecb865cbe47f8dc2d3d15d0d6e0c1
SHA51243341ed39113220e43254ac2890196af15b79fcb2e1d87d8886e58b874e625ed3a3bef4bbdcc4839dc9a50f5cf655ea3853677522bc2df29e6ba2c90e819c982
-
Filesize
1KB
MD5f9af8bbf7af657e28f034487d1e36c3d
SHA1f4dfe8ff5e2d8fb75dafc3c7201564381bf62e28
SHA256dffa696d78ee9a2fb4a941222bb2480deaeb19a7ee04e9da661edd5ecee4f1db
SHA5126b0dc6e337fb48ce9792e926e870278f1fc9e36162d6b9fda40075c0bce4f8c708f7a8e543f9340d877861e770a83eca0e7343f6787dc0d54fb1d6ba82a375f6
-
Filesize
3KB
MD5b6823d54afabf958afeefb18571df6e2
SHA19565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4
SHA256215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10
SHA5129b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318
-
Filesize
312B
MD5aeb38e72d918d4caf48a00ec00372299
SHA1d05185b72cebb6a4620d04728bb3e9f0507e28e7
SHA25618aaecd24af15b24a2757caccb84b7775acb74568555fad96f2b83c04c4e3f09
SHA51266ce1356ea22438e1d57b75612a5790d2d2c41315ed559bb1358cf4bca8a9d83608194c9ee468510d0c99ba8cf651f8b14dd2a6ac7cf9b4452e01d20283a218f