Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
Documents98376532453.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Documents98376532453.exe
Resource
win10v2004-20240426-en
General
-
Target
Documents98376532453.exe
-
Size
951KB
-
MD5
0bf39869b08ade7c8ed45ff5a26f70c4
-
SHA1
09ba2e264420ccd1cb0aae13501a7329c3493f54
-
SHA256
a9b7dbcbe943925db368bcc5c700d3f77dde99190780b94dc9f1439fe17a4bba
-
SHA512
4e17bfb64903b993f5aaa83ae844611566394a71596133d187ed2d38802b0c2d18781bbd6610f6628265ccc89fb1f4f69bae2a321048c38b104c1bab30259658
-
SSDEEP
24576:/lozTZfU0l3vcCbatx3vi9uPnl2NSBSynBG1ST:/lGzaT/iI4SBSynBV
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/632-24-0x0000000005D10000-0x0000000005DA0000-memory.dmp m00nd3v_logger behavioral2/memory/5064-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4024-44-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4024-45-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4024-47-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3872-33-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3872-35-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3872-36-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/3872-42-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/3872-33-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3872-35-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3872-36-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3872-42-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4024-44-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4024-45-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4024-47-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url Documents98376532453.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 632 set thread context of 5064 632 Documents98376532453.exe 89 PID 5064 set thread context of 3872 5064 RegAsm.exe 97 PID 5064 set thread context of 4024 5064 RegAsm.exe 98 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 632 Documents98376532453.exe 632 Documents98376532453.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 3872 vbc.exe 5064 RegAsm.exe 5064 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 632 Documents98376532453.exe Token: SeDebugPrivilege 5064 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5064 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 632 wrote to memory of 232 632 Documents98376532453.exe 83 PID 632 wrote to memory of 232 632 Documents98376532453.exe 83 PID 632 wrote to memory of 232 632 Documents98376532453.exe 83 PID 232 wrote to memory of 2828 232 csc.exe 87 PID 232 wrote to memory of 2828 232 csc.exe 87 PID 232 wrote to memory of 2828 232 csc.exe 87 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 632 wrote to memory of 5064 632 Documents98376532453.exe 89 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 3872 5064 RegAsm.exe 97 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98 PID 5064 wrote to memory of 4024 5064 RegAsm.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"C:\Users\Admin\AppData\Local\Temp\Documents98376532453.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nuan43bw\nuan43bw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48A2.tmp" "c:\Users\Admin\AppData\Local\Temp\nuan43bw\CSCC62E2E38C81445759F9913FDAFFB620.TMP"3⤵PID:2828
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp732C.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7734.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:4024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56d3c0e6c49e4dc05a79f1593715fa371
SHA1283edd1fc01243fc8ccdccd28abc8bfe81676a9a
SHA256a0659ef5422a61e5aea07628a51b80723c0def2d5fe74b5064d979c7552cc29f
SHA512e7e48f11be60860c686c229ad1db804b9333172e1a41722115827ca83afda08e76fc5e8f3f588d59579863765e73957d7e06dee935e6939d766f223cbe180667
-
Filesize
25KB
MD54e31f85d937c3566d6bd8c4e28867712
SHA1aee805dd8c7ab881cadc4c74b2e171463a7210b8
SHA256c081704da842994a8acf90c2d795b6cd8f97efdacdcfb31fa2d27ab1bbb9d647
SHA512751437527ca8acafba1940f77eeaa3464d93b0222393740047edf4e8dcd48764aa1167fe9bed34295945100b808f7c66f3d21a33c9f1c98e10120c3ec3d7143f
-
Filesize
83KB
MD5399da3ad29b88fad17960a768165d8b0
SHA1e61d33bb6c93b7782c3aa91b6c95d4b96074173a
SHA256397c3f0ab6f673097ff865b894a9d71ac3e602436e4d4ca70839efb4ac0ab8a6
SHA512a078567e16f0b0a0f61cc88ee91e906dcd46b892d333b319228ef0dbc18c00c264c661f1a772eefbb9d6cc7be981ed809d5d0509dc49b6c96a36d9d7954326bd
-
Filesize
4KB
MD50c71400795defb1ddf2816dcb2440470
SHA1a9f25ddc014a44b58a890ac42ea47d98a3f754a3
SHA256eef6222f63aae44aec7addd2cdf1d348af92b32e0be1d4c857c48d9a941d9dac
SHA5124d5fd766afe850d8282b85ca0ff3ef36e225e754254f43e1e3e0147675d40f901096199e666310e7f70b6cfbe9f33f3dbe4a063fbd4df7267190bad5121efabf
-
Filesize
1KB
MD5cba5f02f530c6ccb2904ffccc038ecf0
SHA1fb0fe96056501d54fa487691c020de542b40c3f7
SHA2566b39dbe9e4bf81f9051a16ecbb5c53aa87d495a79e453731d3b16422ba05ea5a
SHA5123e81a142be29cc94a99baa0b5f6dddef5ceb45ab6a1b123eed9783e7f149eb71430721ae28a57fe37bbc29b232e86b5a9dc18db8a1685448f547d71aae726fb9
-
Filesize
63KB
MD5db8db79a3b3807a4539ffdd44b3e030b
SHA16aa911e5e19e0286586186068efe2099ccea2d06
SHA25684c25a6d9142065a80e4f4f01b6a5ee06eac1f2ef1f87806bf291e42099b1fc1
SHA5121cb1f9ac55984b775fb79911493f34c71b7c0038dd32d468f17bc93b5d9a76f4185ff74b84fc5906311f4a9525390be03a7d5d3fe5f4c8eb06eb12c193e2b114
-
Filesize
312B
MD5f090ac4d9caadb57c3b7968979c34a09
SHA1332fa4ff6a4d1736e1bd3d5caadf4a969ba5477b
SHA256afca6df2f7e747717cf07323dda15c6bf8887daeea88faedf94c24316e571d6f
SHA51269f7de4dbb721f14a9180203b7478189f5602f700515f862050d612c4747b792b236e919e0b4c9399aee59cb7525419d0db56bfc158345aedf51dd5320490f8e