Overview

overview

10

Static

static

5fb140d193...6a.exe

windows7-x64

10

5fb140d193...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe

  • Size

    791KB

  • MD5

    39ffa3dd5db6edf0f208d118be8cb64a

  • SHA1

    f523071595fc01b6134f961a9f6760636d1c64d1

  • SHA256

    5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

  • SHA512

    7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 7 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
    "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe" "C:\Users\Admin\AppData\Roaming\install.exe"
      2⤵
        PID:1992
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\install.exe"
        2⤵
          PID:1464
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Users\Admin\AppData\Roaming\install.exe
          "C:\Users\Admin\AppData\Roaming\install.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Users\Admin\AppData\Roaming\install.exe
            "C:\Users\Admin\AppData\Roaming\install.exe"
            3⤵
            • Executes dropped EXE
            • Sets file execution options in registry
            PID:768

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • \Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • memory/768-79-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-83-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-92-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/768-91-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/768-89-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/768-90-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/768-87-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-76-0x000000000048B1CE-mapping.dmp
        Download
      • memory/768-78-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-74-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-70-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-71-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/768-73-0x0000000000090000-0x0000000000120000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1204-62-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1464-60-0x0000000071C21000-0x0000000071C23000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1464-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1636-68-0x0000000074170000-0x000000007471B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1636-67-0x0000000074170000-0x000000007471B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1636-84-0x0000000074170000-0x000000007471B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1636-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1856-55-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1856-54-0x00000000761D1000-0x00000000761D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1856-57-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1856-61-0x0000000074780000-0x0000000074D2B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1992-56-0x0000000000000000-mapping.dmp
        Download