Overview

overview

10

Static

static

5fb140d193...6a.exe

windows7-x64

10

5fb140d193...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe

  • Size

    791KB

  • MD5

    39ffa3dd5db6edf0f208d118be8cb64a

  • SHA1

    f523071595fc01b6134f961a9f6760636d1c64d1

  • SHA256

    5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

  • SHA512

    7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
    "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe" "C:\Users\Admin\AppData\Roaming\install.exe"
      2⤵
        PID:4348
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\install.exe"
        2⤵
          PID:3744
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Users\Admin\AppData\Roaming\install.exe
          "C:\Users\Admin\AppData\Roaming\install.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Users\Admin\AppData\Roaming\install.exe
            "C:\Users\Admin\AppData\Roaming\install.exe"
            3⤵
            • Executes dropped EXE
            PID:2412

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\install.exe
        Filesize

        791KB

        MD5

        39ffa3dd5db6edf0f208d118be8cb64a

        SHA1

        f523071595fc01b6134f961a9f6760636d1c64d1

        SHA256

        5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a

        SHA512

        7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc

        Download Submit
      • memory/1188-132-0x0000000074DD0000-0x0000000075381000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1188-133-0x0000000074DD0000-0x0000000075381000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1188-136-0x0000000074DD0000-0x0000000075381000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-146-0x0000000074130000-0x00000000746E1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2412-143-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/2412-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2976-141-0x0000000074130000-0x00000000746E1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2976-140-0x0000000074130000-0x00000000746E1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2976-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2976-145-0x0000000074130000-0x00000000746E1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3744-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4348-134-0x0000000000000000-mapping.dmp
        Download