Analysis
-
max time kernel
135s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 18:23
Static task
static1
Behavioral task
behavioral1
Sample
DAILY PICK UP DETAILS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DAILY PICK UP DETAILS.exe
Resource
win10v2004-20240426-en
General
-
Target
DAILY PICK UP DETAILS.exe
-
Size
925KB
-
MD5
5bf757b62ee654ad58118227ffc8ef5d
-
SHA1
81f0a4c130ec7ac0fc61a40856c20ce0e3f0b1bf
-
SHA256
faf2bc046695592f8a809a0864f71a326206f9dd4075ac36fedc95654f99ce91
-
SHA512
d17e8b3c10a613a9af5a04e901862bf179dab8320895ee94ad1a9ac6d06b7378d2ee7dca8bc95f5489aaaff328632b24055cf1c13723fb19eb356d910ba2ed9c
-
SSDEEP
24576:hQiSpPmlPPUTBW8LoaTVDcolx3UeT0vpJ0rmQKH5/t9AA:uiSAlndGd3xkeovpJ0rqH5
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.oppobihar.in - Port:
587 - Username:
[email protected] - Password:
oppo@12345
ba1e53be-21d5-4b75-92f5-e24f34036bcb
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:oppo@12345 _EmailPort:587 _EmailSSL:false _EmailServer:mail.oppobihar.in _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:ba1e53be-21d5-4b75-92f5-e24f34036bcb _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection DAILY PICK UP DETAILS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" DAILY PICK UP DETAILS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" DAILY PICK UP DETAILS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" DAILY PICK UP DETAILS.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions DAILY PICK UP DETAILS.exe -
resource yara_rule behavioral2/memory/900-53-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3268-71-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3268-72-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3268-74-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1760-60-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1760-62-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1760-63-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1760-69-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/1760-60-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1760-62-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1760-63-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1760-69-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3268-71-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3268-72-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3268-74-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools DAILY PICK UP DETAILS.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DAILY PICK UP DETAILS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DAILY PICK UP DETAILS.exe -
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features DAILY PICK UP DETAILS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" DAILY PICK UP DETAILS.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 65 bot.whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DAILY PICK UP DETAILS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DAILY PICK UP DETAILS.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2748 set thread context of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 900 set thread context of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 set thread context of 3268 900 DAILY PICK UP DETAILS.exe 104 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4980 powershell.exe 4980 powershell.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 1760 vbc.exe 900 DAILY PICK UP DETAILS.exe 900 DAILY PICK UP DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 900 DAILY PICK UP DETAILS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 900 DAILY PICK UP DETAILS.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2748 wrote to memory of 4980 2748 DAILY PICK UP DETAILS.exe 99 PID 2748 wrote to memory of 4980 2748 DAILY PICK UP DETAILS.exe 99 PID 2748 wrote to memory of 4980 2748 DAILY PICK UP DETAILS.exe 99 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 2748 wrote to memory of 900 2748 DAILY PICK UP DETAILS.exe 101 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 1760 900 DAILY PICK UP DETAILS.exe 103 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104 PID 900 wrote to memory of 3268 900 DAILY PICK UP DETAILS.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\DAILY PICK UP DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DAILY PICK UP DETAILS.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\DAILY PICK UP DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DAILY PICK UP DETAILS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6230.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6657.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:3268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680B
MD5f94345ac912a59f4e45424d0f5097e7d
SHA1e77ca1a71f479dbef84049c6c4a5a036f009888a
SHA2565b8473c0e3ca2187c394644e5c0e0b65bd10dcd5bb5422da927cba7b1caf3100
SHA51268a9fbb50900b21c2e6712a7f8ee834c86f61e02a426268a5a2ee3cedcb235e5be67e26fbee164835fd1aab95a76bec304cb34b7a16610f82576373bd16b55a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD52f9f3e06c08fbefb9d972eb45910783e
SHA1f8452829b8404981ee3f7ac2f8f4b16825014c14
SHA25641fcf3117cab8796adc9854cf66a6533fc2766f0e36abdaf04ce5fd7c13f5a50
SHA512db33ff568a991b3b7d6574e0b4514236f22d3df30c26593a18d7f2d879be2f6831e9d9361800ca349303ba9c43591643f04c090fb16dfc99f7301e197ff48dec