Analysis
-
max time kernel
158s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 09:57
Static task
static1
Behavioral task
behavioral1
Sample
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
Resource
win10v2004-20220722-en
General
-
Target
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe
-
Size
791KB
-
MD5
39ffa3dd5db6edf0f208d118be8cb64a
-
SHA1
f523071595fc01b6134f961a9f6760636d1c64d1
-
SHA256
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
-
SHA512
7143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/2412-143-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Executes dropped EXE 2 IoCs
Processes:
install.exeinstall.exepid process 2976 install.exe 2412 install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
install.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Installer = "C:\\Users\\Admin\\AppData\\Roaming\\install.exe -boot" install.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
install.exedescription pid process target process PID 2976 set thread context of 2412 2976 install.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeinstall.exepid process 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe 2976 install.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeinstall.exedescription pid process Token: SeDebugPrivilege 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe Token: SeDebugPrivilege 2976 install.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exeexplorer.exeinstall.exedescription pid process target process PID 1188 wrote to memory of 4348 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1188 wrote to memory of 4348 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1188 wrote to memory of 4348 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe cmd.exe PID 1188 wrote to memory of 3744 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1188 wrote to memory of 3744 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 1188 wrote to memory of 3744 1188 5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe explorer.exe PID 4140 wrote to memory of 2976 4140 explorer.exe install.exe PID 4140 wrote to memory of 2976 4140 explorer.exe install.exe PID 4140 wrote to memory of 2976 4140 explorer.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe PID 2976 wrote to memory of 2412 2976 install.exe install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a.exe" "C:\Users\Admin\AppData\Roaming\install.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\install.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install.exe"C:\Users\Admin\AppData\Roaming\install.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
C:\Users\Admin\AppData\Roaming\install.exeFilesize
791KB
MD539ffa3dd5db6edf0f208d118be8cb64a
SHA1f523071595fc01b6134f961a9f6760636d1c64d1
SHA2565fb140d1932d22dd8143648fd0239c18264a66c5d8bb948156b71ba089c3306a
SHA5127143996029ef1a98acf0eb89aa3829a31cf7e2c57e4303a8ef0b4e086f8c1a67d1885404420b90ed78c3772853632290ec00e669bbd8135620f48aedda58f2fc
-
memory/1188-132-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/1188-133-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/1188-136-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/2412-146-0x0000000074130000-0x00000000746E1000-memory.dmpFilesize
5.7MB
-
memory/2412-143-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2412-142-0x0000000000000000-mapping.dmp
-
memory/2976-141-0x0000000074130000-0x00000000746E1000-memory.dmpFilesize
5.7MB
-
memory/2976-140-0x0000000074130000-0x00000000746E1000-memory.dmpFilesize
5.7MB
-
memory/2976-138-0x0000000000000000-mapping.dmp
-
memory/2976-145-0x0000000074130000-0x00000000746E1000-memory.dmpFilesize
5.7MB
-
memory/3744-135-0x0000000000000000-mapping.dmp
-
memory/4348-134-0x0000000000000000-mapping.dmp