Analysis
-
max time kernel
135s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
Documents98376532453.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Documents98376532453.exe
Resource
win10v2004-20240426-en
General
-
Target
Documents98376532453.exe
-
Size
951KB
-
MD5
0bf39869b08ade7c8ed45ff5a26f70c4
-
SHA1
09ba2e264420ccd1cb0aae13501a7329c3493f54
-
SHA256
a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
-
SHA512
4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
-
SSDEEP
24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2488-23-0x00000000053A0000-0x0000000005430000-memory.dmp m00nd3v_logger behavioral1/memory/2536-32-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2536-28-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2536-36-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2536-34-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2536-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1296-66-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/1296-67-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/1296-69-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2364-50-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2364-51-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/2364-53-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/2364-50-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2364-51-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/2364-53-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1296-66-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/1296-67-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/1296-69-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url Documents98376532453.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2488 set thread context of 2536 2488 Documents98376532453.exe 31 PID 2536 set thread context of 2364 2536 RegAsm.exe 33 PID 2536 set thread context of 1296 2536 RegAsm.exe 36 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2488 Documents98376532453.exe 2488 Documents98376532453.exe 2364 vbc.exe 2364 vbc.exe 2364 vbc.exe 2364 vbc.exe 2364 vbc.exe 2536 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 Documents98376532453.exe Token: SeDebugPrivilege 2536 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2536 RegAsm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2724 2488 Documents98376532453.exe 28 PID 2488 wrote to memory of 2724 2488 Documents98376532453.exe 28 PID 2488 wrote to memory of 2724 2488 Documents98376532453.exe 28 PID 2488 wrote to memory of 2724 2488 Documents98376532453.exe 28 PID 2724 wrote to memory of 2532 2724 csc.exe 30 PID 2724 wrote to memory of 2532 2724 csc.exe 30 PID 2724 wrote to memory of 2532 2724 csc.exe 30 PID 2724 wrote to memory of 2532 2724 csc.exe 30 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2488 wrote to memory of 2536 2488 Documents98376532453.exe 31 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 2364 2536 RegAsm.exe 33 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36 PID 2536 wrote to memory of 1296 2536 RegAsm.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owjvpf5s\owjvpf5s.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C38.tmp" "c:\Users\Admin\AppData\Local\Temp\owjvpf5s\CSC951A3B3E49264B8D96FBC879F73E4656.TMP"3⤵PID:2532
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp38FC.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1296
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD595b290f377fbd15b57a0fb373edaf01e
SHA1ccbbdc3e1b7982a536fdd5073d49b0b9bc6644f5
SHA25679810ae8266c16501567c69130b75af783aca98b2040e82ca36a0cf9e5927b68
SHA5121e69e91da9d99a6f4efbef03df33a9d05b54cce39111d7b9cd200674194e0fcb4075546df418db37331160bef3efdf6d4dfd5d91571976e39116769191f2de1d
-
Filesize
25KB
MD5b9b1e8e15955cd656a2183db67d65c5c
SHA16bf78e9f2ea511a26859ea3f9e4a9bd7b51f404d
SHA2562e8fd4b03fdd78be7411e33107a7c00d976d78bb25f61340535ebd09bfcb9a79
SHA512c54f6e3e0de85aacaa871b68a2cebebe7501887ed23f4499d793e4bca551800ab5137b439c5edc9c6ab41bad085b93d5a1ff68ba102b998d8db737169a60b67d
-
Filesize
83KB
MD5528478490ace592dcf9ee8a5b197cefd
SHA1232197d3c77519a7580b0775c90c9cb1408fba82
SHA25658dcef84a295284f43753b07149510bdf1074a9ce2054828dd5a7c7882079f72
SHA512f7ce0d2138f13ad1f23bb7f29a4f766b4e31be57528a770b995cc1ec3e0388f50a67e48cd57ce239a690c2073fee8fa8821c7feccbba4f21da01219cf79386d1
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD5c4439214ce21963a245260edb33991c1
SHA11043679f5aeff8dc3679840102bf1568844127c3
SHA2560a785eb018dc9485154871f1b68fc983e40f23fb78e32a9ae4e33f65be3f6eae
SHA512f69cb80e8cc51f86e86f0162b9039d5ff3d89d7c54e319a57e9450a05bc2e6edabafbabcc7eb7b5bd9274205e193a2ccb6267a11d088a8136006f781e8192b3d
-
Filesize
63KB
MD5db8db79a3b3807a4539ffdd44b3e030b
SHA16aa911e5e19e0286586186068efe2099ccea2d06
SHA25684c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1
SHA5121cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114
-
Filesize
312B
MD54183804834bb4c8541503e369954d876
SHA1c87144835cab7d295cfb1aa226a99376f527da27
SHA2561770dde61e7f88347acbab5848923f092311e08a4291387da360401c0cf52441
SHA5121aba5b6976e9b4ba5f02d78486b2fcf31803265ef0e0aff3fec65d23b855e1eaab0f789a2da7caf55430208c86668f6be62fb0dc85ad6ee09922267f8bc28793