Analysis
-
max time kernel
129s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-PDF.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PAYMENT-PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
PAYMENT-PDF.exe
-
Size
518KB
-
MD5
d8b7335d7669b24ddb9b239953f0d7a7
-
SHA1
f119bea19f892adc161a0ebb15ffbcc8150cc3c5
-
SHA256
39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
-
SHA512
96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
-
SSDEEP
12288:mEtjkdhUeFE6ySHS+aoISuYZ0kaJWIkkQNvnr5de:mDZE6hSDoISnqkAvQNvnr5g
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/1192-24-0x0000000005F10000-0x0000000005FA0000-memory.dmp m00nd3v_logger behavioral2/memory/2248-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1192 set thread context of 2248 1192 PAYMENT-PDF.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1192 PAYMENT-PDF.exe 1192 PAYMENT-PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1192 PAYMENT-PDF.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1932 1192 PAYMENT-PDF.exe 85 PID 1192 wrote to memory of 1932 1192 PAYMENT-PDF.exe 85 PID 1192 wrote to memory of 1932 1192 PAYMENT-PDF.exe 85 PID 1932 wrote to memory of 1468 1932 csc.exe 87 PID 1932 wrote to memory of 1468 1932 csc.exe 87 PID 1932 wrote to memory of 1468 1932 csc.exe 87 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90 PID 1192 wrote to memory of 2248 1192 PAYMENT-PDF.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4602.tmp" "c:\Users\Admin\AppData\Local\Temp\upfof0zh\CSC44654972AA684549B9C8B4933562461.TMP"3⤵PID:1468
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2248
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5714913f83f67cff1b91625617d8b2df4
SHA10f324d4c02e90acf415cdf228997b42ade9c2c37
SHA256c2e9dda7d6f449f661fff807e78bc10732b01fcfdd52c8890c4bc16f964731dd
SHA512adf9ec1970607520ea870970851851840fb3a137540ca4ce60cefc2ca3a8993f19d16e18bb6532ac326d80d1abd43ce24fc8caf686fa3c5a2de267d7454c4a7f
-
Filesize
6KB
MD5f64c1b739390111f88745dd18cea0811
SHA1a0aee5f970919c4db272458953a399589ed388e2
SHA2566559669ebf2da9e3b2ce12594baf8589ebe5dad5b41a4394240fcaec7bf185b0
SHA5121eb6dc0e768b216a17bdf280fc7ba8f38c554754220fbde320cb00434f6bdbc3cf191d34a215d51833471fd9f4e4d4826cb17805343e4764f62feb4d23cf7a7d
-
Filesize
17KB
MD568261b3db26d8709accef92685038007
SHA14013d35b332cf3a2320a5580471b60c541e904ac
SHA256d4c124cda73d8c7ef59d9f7a64920a95b6b0310cc6c601050f7831e1fd3291c2
SHA512ec086ad8bcaa923e2173956674be13a5ed1b048ba05427e79b309449dfd45df1ed99e06f74b1242d5b74d21afeb96f8ca6f25d0456fb83a96707f00254255dc8
-
Filesize
1KB
MD5e4ed0c884387f6306626e5b2c0b4a09b
SHA10c72697da3e6943a0b5d3680340a5dca3a7bb284
SHA2563d73942e2bf82019edc698d604422fb827be0f256ba310426c9fbaaa541831fd
SHA5122d1e5324831052fc1131772020b5da38c530e91094e9d83d9f660bcc607a1bc23eb371fa75e49e78e69e8f93f5ed4d00cbd046dcd15eabdcb92a61162d40c5b7
-
Filesize
3KB
MD5b6823d54afabf958afeefb18571df6e2
SHA19565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4
SHA256215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10
SHA5129b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318
-
Filesize
312B
MD53194c0fa9773496e62661fbc69a2c8fe
SHA105d085a5cadab2c57d757f800e5b1697fdb671fe
SHA256b134eecc318200f6de089343a8869eda10d91eb29c4f292bd359de56d4e8bf12
SHA512658680d59f4a1e451e6678d0e12924ceb3b21466080ef00e34f55afc0e1e90c67114931d81b2e529a7f57b30002351eb1daf77b5d1e709ac951059e9e0e29619