Overview

overview

10

Static

static

3

9b6b4686d5...24.exe

windows7-x64

10

9b6b4686d5...24.exe

windows10-2004-x64

10

Resubmissions

26-02-2024 03:29

240226-d2btzacb9w 10

21-02-2024 10:44

240221-ms4m3aef65 10

14-02-2024 10:19

240214-mcq22agh28 10

Analysis

  • max time kernel
    348s
  • max time network
    318s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b6b4686d55afe1479011ee77b5ffb24.exe

  • Size

    526KB

  • MD5

    9b6b4686d55afe1479011ee77b5ffb24

  • SHA1

    df3cc344a71e5bf855e3bc97b8848eb2daaf8afc

  • SHA256

    c0498d7a70e78c236241d0e91b3bb599c1961ea62a10bd76a16fe7b18824f646

  • SHA512

    dff029b93178d47a621f637ce82b710412c59784634bad760beaaa5255d7118474fd8f5f903be9ccba623bd3f42de4a06f09fe6f3799a85a8cf692184b346a4e

  • SSDEEP

    12288:tUiQnjozy4J/aA/z+DNZFFQ6yunCjo3QkFLcnhpSVfBPp9bJ:yrrstr+JFQ6jFAS

Score
10/10
hawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • M00nD3v Logger payload 5 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe
        "C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe
          "C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp96C3.tmp"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2588
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8AD3.tmp"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1928
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2824
      • C:\Windows\system32\pcwrun.exe
        C:\Windows\system32\pcwrun.exe "C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\System32\msdt.exe
          C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW5F4F.xml /skip TRUE
          3⤵
          • Suspicious use of FindShellTrayWindow
          PID:2708
      • C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe
        "C:\Users\Admin\AppData\Local\Temp\9b6b4686d55afe1479011ee77b5ffb24.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        2⤵
          PID:2680
        • C:\Windows\system32\magnify.exe
          "C:\Windows\system32\magnify.exe"
          2⤵
            PID:1564
        • C:\Windows\System32\sdiagnhost.exe
          C:\Windows\System32\sdiagnhost.exe -Embedding
          1⤵
            PID:2124
          • C:\Windows\system32\utilman.exe
            utilman.exe /debug
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Windows\System32\Magnify.exe
              "C:\Windows\System32\Magnify.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:564
          • C:\Windows\system32\utilman.exe
            utilman.exe /debug
            1⤵
              PID:572

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024022603.000\PCW.0.debugreport.xml
              Filesize

              2KB

              MD5

              20b441fbb1909b426641795d99d4665e

              SHA1

              ffc897f0ae536e20f190529d3032077e83fef16c

              SHA256

              621a118e4a28175248c5cca8b844e8d7b870efd8384ba5e430945981ad798f24

              SHA512

              c97e6e350984be5808480dc1f61c97615b0d05cf5a59be136f68b48042100d8efc8f8d099338f8855ef21b9699d122c90d6c21e3caacfabeefd08604e7b9608a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\PCW5F4F.xml
              Filesize

              780B

              MD5

              55ca71ec6be6df080c50c13f4f45d7ea

              SHA1

              1712d9123c221091b22ea8bc3a858c2c34c6e06e

              SHA256

              7a78bb314af375494f89e79cfbdfd7b92132c08ff2472e7c6089c2dfe23f6dbd

              SHA512

              298d40c320d83f1fe14269f1897a02a293c1e1f5bc6cba9d3b37f36fa1f8b6d7e58d55c26af7cbe42eda5a601a934aa83f4c22e86637d065f01b0d127aac36e6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp96C3.tmp
              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit

            • C:\Windows\TEMP\SDIAG_73b9f9ae-67b4-4dcd-8b7b-b755ef87d7fa\TS_ProgramCompatibilityWizard.ps1
              Filesize

              9KB

              MD5

              46e22c2582b54be56d80d7a79fec9bb5

              SHA1

              604fac637a35f60f5c89d1367c695feb68255ccd

              SHA256

              459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9

              SHA512

              a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f

              Download Submit

            • C:\Windows\Temp\SDIAG_73b9f9ae-67b4-4dcd-8b7b-b755ef87d7fa\DiagPackage.dll
              Filesize

              64KB

              MD5

              e382ec1c184e7d7d6da1e0b3eacfa84b

              SHA1

              9a0d95eb339774874f4f0da35d10fd326438b56c

              SHA256

              786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee

              SHA512

              019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c

              Download Submit

            • C:\Windows\Temp\SDIAG_73b9f9ae-67b4-4dcd-8b7b-b755ef87d7fa\en-US\DiagPackage.dll.mui
              Filesize

              8KB

              MD5

              526bcf713fe4662e9f8a245a3a57048f

              SHA1

              cf0593c3a973495c395bbce779aef8764719abf7

              SHA256

              c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606

              SHA512

              df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04

              Download Submit

            • memory/1416-216-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1416-213-0x0000000000540000-0x0000000000580000-memory.dmp

              Filesize

              256KB

              Download

            • memory/1416-212-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1416-214-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1420-222-0x0000000003C40000-0x0000000003C41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1928-201-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-207-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-203-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-199-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-197-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-195-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-209-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-211-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1928-210-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2124-155-0x0000000002630000-0x00000000026B0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2124-154-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2124-156-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2124-194-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2560-19-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2560-10-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-42-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2560-20-0x0000000000A50000-0x0000000000A90000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2560-13-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-21-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2560-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2560-9-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-7-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-17-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-5-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2560-217-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2560-15-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2588-23-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-35-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-25-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-27-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-29-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-31-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2588-40-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-38-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2588-37-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/2704-0-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2704-18-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2704-2-0x00000000004D0000-0x0000000000510000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2704-1-0x0000000074A80000-0x000000007502B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2708-53-0x0000000000420000-0x0000000000421000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2824-43-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2824-44-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2824-45-0x0000000001D10000-0x0000000001D20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2824-46-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2824-47-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2824-215-0x0000000000360000-0x0000000000361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2824-218-0x0000000000360000-0x0000000000361000-memory.dmp

              Filesize

              4KB

              Download