Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 02:53
Static task
static1
Behavioral task
behavioral1
Sample
0c3bdc11fd6454bb67da849864170b44.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0c3bdc11fd6454bb67da849864170b44.exe
Resource
win10v2004-20231222-en
General
-
Target
0c3bdc11fd6454bb67da849864170b44.exe
-
Size
1.4MB
-
MD5
0c3bdc11fd6454bb67da849864170b44
-
SHA1
1c925518e075761758a47f677016c95f5e80c92c
-
SHA256
bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
-
SHA512
b75c5e2967976c5df69b7ad438b9dc26b68accd1fe707575f396b3926e16c99dbf7fd4f30815430e5160461793de9f7897bc2660307f94aa8795a01220b7ad9b
-
SSDEEP
24576:rAOcZAh8BbGTd6g+HrTWCGMnuce4hXQoVUsywK6ULRrAPWcBfhNQXNmrKb:taRov+LCuug7VU4KVrAPWLIrKb
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
heavenly.logs@yandex.com - Password:
PLAYBOY@123
0afb590f-6441-4e30-9017-486274a19cc9
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:PLAYBOY@123 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:heavenly.logs@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:2880 _MeltFile:false _Mutex:0afb590f-6441-4e30-9017-486274a19cc9 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/2356-46-0x0000000000810000-0x0000000000F05000-memory.dmp m00nd3v_logger behavioral2/memory/2356-47-0x0000000000810000-0x00000000008A0000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2356-49-0x0000000005650000-0x00000000056C6000-memory.dmp MailPassView behavioral2/memory/1264-67-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1264-71-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1264-69-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2356-49-0x0000000005650000-0x00000000056C6000-memory.dmp WebBrowserPassView behavioral2/memory/4372-59-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4372-58-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4372-56-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4372-65-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/2356-49-0x0000000005650000-0x00000000056C6000-memory.dmp Nirsoft behavioral2/memory/4372-59-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4372-58-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4372-56-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4372-65-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1264-67-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1264-71-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1264-69-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c3bdc11fd6454bb67da849864170b44.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 0c3bdc11fd6454bb67da849864170b44.exe -
Executes dropped EXE 1 IoCs
Processes:
urdavsa.pifpid process 2504 urdavsa.pif -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 72 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
urdavsa.pifRegSvcs.exedescription pid process target process PID 2504 set thread context of 2356 2504 urdavsa.pif RegSvcs.exe PID 2356 set thread context of 4372 2356 RegSvcs.exe vbc.exe PID 2356 set thread context of 1264 2356 RegSvcs.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exeurdavsa.pifvbc.exepid process 2356 RegSvcs.exe 2356 RegSvcs.exe 2356 RegSvcs.exe 2356 RegSvcs.exe 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 4372 vbc.exe 4372 vbc.exe 2504 urdavsa.pif 2504 urdavsa.pif 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 4372 vbc.exe 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif 2504 urdavsa.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2356 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2356 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
0c3bdc11fd6454bb67da849864170b44.exeurdavsa.pifRegSvcs.exedescription pid process target process PID 452 wrote to memory of 2504 452 0c3bdc11fd6454bb67da849864170b44.exe urdavsa.pif PID 452 wrote to memory of 2504 452 0c3bdc11fd6454bb67da849864170b44.exe urdavsa.pif PID 452 wrote to memory of 2504 452 0c3bdc11fd6454bb67da849864170b44.exe urdavsa.pif PID 2504 wrote to memory of 2356 2504 urdavsa.pif RegSvcs.exe PID 2504 wrote to memory of 2356 2504 urdavsa.pif RegSvcs.exe PID 2504 wrote to memory of 2356 2504 urdavsa.pif RegSvcs.exe PID 2504 wrote to memory of 2356 2504 urdavsa.pif RegSvcs.exe PID 2504 wrote to memory of 2356 2504 urdavsa.pif RegSvcs.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 4372 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe PID 2356 wrote to memory of 1264 2356 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3bdc11fd6454bb67da849864170b44.exe"C:\Users\Admin\AppData\Local\Temp\0c3bdc11fd6454bb67da849864170b44.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\82139548\urdavsa.pif"C:\Users\Admin\AppData\Local\Temp\82139548\urdavsa.pif" rpgc.htg2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCDA1.tmp"4⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\82139548\pqbfmorxw.docxFilesize
64KB
MD59e34af872e105d5d14cc32bbecc85d75
SHA1dea0f74f0a62496a220e0f4c113844620367cb8f
SHA25616162b0c39821a78589aa6565060b9caa5275719057af12623a814aecafe2a75
SHA512aa73914ef3ab5d7bad413ff0799355f3232510dab62c6f6774f2ec21f007406523a88c8056cfb46f049478589d386c5aba3d2dfd9d000ec6c9e82e2fc55df0a7
-
C:\Users\Admin\AppData\Local\Temp\82139548\rpgc.htgFilesize
1.1MB
MD583d6fb120ecdef15371b4ea02b9c370b
SHA14deb4a880fb6e0d8a46e57b63c89e91412501eb8
SHA2560c7532b97fb429bdc98183cbef353fa6463adb9b74b6a9398e70366be1cbe170
SHA51265db602cb2c60b02cdcef9800b69f9de9ed66ad1f0e38b7383df75b3ec520426ecd4bd2934882f51cf9f29e786b3380bd437f2bc1a15919484fed41f1ba35073
-
C:\Users\Admin\AppData\Local\Temp\82139548\urdavsa.pifFilesize
646KB
MD5cdbb08d4234736c4a052dc3f181e66f2
SHA16801a805b6dcb760e8bf399a7d3ad0489fec7bfb
SHA25607e5f6d7ec7ccbc3d742658e9161d799934c6f7f6a3ebf560f361b4ee1730b6a
SHA5121ebd1a546e64d4b36d4f143ff7211d953f8db8e74c739db5e9c0939a6eb010a461fd1368f8a7813a8a2da804de6993010075ac21e4917d74d3f9394eaebafdfb
-
C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1264-69-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1264-71-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1264-67-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2356-53-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/2356-48-0x0000000072AF0000-0x00000000732A0000-memory.dmpFilesize
7.7MB
-
memory/2356-51-0x000000000A260000-0x000000000A804000-memory.dmpFilesize
5.6MB
-
memory/2356-50-0x0000000005720000-0x0000000005730000-memory.dmpFilesize
64KB
-
memory/2356-55-0x00000000060D0000-0x0000000006162000-memory.dmpFilesize
584KB
-
memory/2356-73-0x00000000055B0000-0x00000000055BA000-memory.dmpFilesize
40KB
-
memory/2356-72-0x0000000072AF0000-0x00000000732A0000-memory.dmpFilesize
7.7MB
-
memory/2356-46-0x0000000000810000-0x0000000000F05000-memory.dmpFilesize
7.0MB
-
memory/2356-47-0x0000000000810000-0x00000000008A0000-memory.dmpFilesize
576KB
-
memory/2356-49-0x0000000005650000-0x00000000056C6000-memory.dmpFilesize
472KB
-
memory/2356-52-0x0000000009E50000-0x0000000009EEC000-memory.dmpFilesize
624KB
-
memory/4372-65-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4372-56-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4372-58-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4372-59-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB