Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-PDF.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PAYMENT-PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
PAYMENT-PDF.exe
-
Size
518KB
-
MD5
d8b7335d7669b24ddb9b239953f0d7a7
-
SHA1
f119bea19f892adc161a0ebb15ffbcc8150cc3c5
-
SHA256
39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
-
SHA512
96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
-
SSDEEP
12288:mEtjkdhUeFE6ySHS+aoISuYZ0kaJWIkkQNvnr5de:mDZE6hSDoISnqkAvQNvnr5g
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2760-23-0x00000000050E0000-0x0000000005170000-memory.dmp m00nd3v_logger behavioral1/memory/2704-29-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2704-32-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2704-34-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2704-28-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2704-36-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2760 set thread context of 2704 2760 PAYMENT-PDF.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2760 PAYMENT-PDF.exe 2760 PAYMENT-PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2760 PAYMENT-PDF.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2724 2760 PAYMENT-PDF.exe 28 PID 2760 wrote to memory of 2724 2760 PAYMENT-PDF.exe 28 PID 2760 wrote to memory of 2724 2760 PAYMENT-PDF.exe 28 PID 2760 wrote to memory of 2724 2760 PAYMENT-PDF.exe 28 PID 2724 wrote to memory of 2588 2724 csc.exe 30 PID 2724 wrote to memory of 2588 2724 csc.exe 30 PID 2724 wrote to memory of 2588 2724 csc.exe 30 PID 2724 wrote to memory of 2588 2724 csc.exe 30 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31 PID 2760 wrote to memory of 2704 2760 PAYMENT-PDF.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytxlzlf3\ytxlzlf3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1989.tmp" "c:\Users\Admin\AppData\Local\Temp\ytxlzlf3\CSCE5338EB7B032412BB8607D5F2F2556A0.TMP"3⤵PID:2588
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2704
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51f2b74ce792469557afcb4752710ac95
SHA1e2b71b88d0d780d0dcbdc2b1934d0461aa136dbb
SHA256bffccc117db9cfc9209faf3063f81b8c00f847c61e81345b57602e7452bde4f5
SHA512ecd8b63dc05ba9ca1da3a2e3b67597ce526088e996727723933a49ddcb68d1736206b8a8ff398b74cb3bc41372a8074d3e66cef9d280d634a492f56d58dc7556
-
Filesize
6KB
MD5e6f2af6754112273824ff2fe5f909821
SHA13e4e41d76981fe3e754ecd0a6cd8fa79a7d6f031
SHA256b5fb6dd4599227a830bebb1e715d92c39abb1e0a61a988870d6b875ddd3045d6
SHA51209aa97b916e1dd58828f6abb15e47db54d448a42fa510f5a8aac9bc7d723769671843307692a26e34bfe1f9a876bb55c5de8985eaaa587b0db351a5ca7cebe35
-
Filesize
17KB
MD5d7ea8e57223a5e79f804f1bc5e12cfc8
SHA1b9c6bacbf585fb84b36368ca31ffde497c8558be
SHA256a9a23d19dd1a109f9ab1f86c2c8076c15be6137529aeadbe34c4aa7bd597c57e
SHA5123695df7275162743eb98f499a4800a830496a8e38b610a774f827b83dbc3762bd7b36e0be84df803a76caeefb6be041eee9a169a776dfb9aabeab7c989cda2cc
-
Filesize
1KB
MD56a3ff8fa0834df00563761aa6423273b
SHA137fe69aa63094e2ed281697dd4ad01109b68fea9
SHA2567d6fcea81c1f8d0e09aa1bc12ad72d3cd1428182559a3cd105b172303474fb8e
SHA51216059b7e6bcb30a3ce80ca0bca262d0fc9e53e3c1ef2ff9b28d56ac2ad689d820b8a332668cf2365c714c029aa553033371e3a1af086e20979450ea4b210c1ea
-
Filesize
3KB
MD5b6823d54afabf958afeefb18571df6e2
SHA19565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4
SHA256215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10
SHA5129b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318
-
Filesize
312B
MD5d96e701077a9f6569251fdbf64e6cb15
SHA1a2bae36aad79646911a068bb83ce4115b4bcfa01
SHA256ba216704d3d5a5e8262d5533cb8d2b06ba20452ea632c8592af65f1c07896464
SHA512ea2a993fbed447f4909f70e0fd092f4d95b4515f3d820f63adeeb90ed72b59058e39d5df5275d342b1786d91b95858c99374465763c8c55373bf4c362d0cd5d2