Overview

overview

10

Static

static

3

PAYMENT-PDF.exe

windows7-x64

10

PAYMENT-PDF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT-PDF.exe

  • Size

    518KB

  • MD5

    d8b7335d7669b24ddb9b239953f0d7a7

  • SHA1

    f119bea19f892adc161a0ebb15ffbcc8150cc3c5

  • SHA256

    39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9

  • SHA512

    96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e

  • SSDEEP

    12288:mEtjkdhUeFE6ySHS+aoISuYZ0kaJWIkkQNvnr5de:mDZE6hSDoISnqkAvQNvnr5g

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4602.tmp" "c:\Users\Admin\AppData\Local\Temp\upfof0zh\CSC44654972AA684549B9C8B4933562461.TMP"
        3⤵
          PID:1468
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:2248

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES4602.tmp
        Filesize

        1KB

        MD5

        714913f83f67cff1b91625617d8b2df4

        SHA1

        0f324d4c02e90acf415cdf228997b42ade9c2c37

        SHA256

        c2e9dda7d6f449f661fff807e78bc10732b01fcfdd52c8890c4bc16f964731dd

        SHA512

        adf9ec1970607520ea870970851851840fb3a137540ca4ce60cefc2ca3a8993f19d16e18bb6532ac326d80d1abd43ce24fc8caf686fa3c5a2de267d7454c4a7f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.dll
        Filesize

        6KB

        MD5

        f64c1b739390111f88745dd18cea0811

        SHA1

        a0aee5f970919c4db272458953a399589ed388e2

        SHA256

        6559669ebf2da9e3b2ce12594baf8589ebe5dad5b41a4394240fcaec7bf185b0

        SHA512

        1eb6dc0e768b216a17bdf280fc7ba8f38c554754220fbde320cb00434f6bdbc3cf191d34a215d51833471fd9f4e4d4826cb17805343e4764f62feb4d23cf7a7d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.pdb
        Filesize

        17KB

        MD5

        68261b3db26d8709accef92685038007

        SHA1

        4013d35b332cf3a2320a5580471b60c541e904ac

        SHA256

        d4c124cda73d8c7ef59d9f7a64920a95b6b0310cc6c601050f7831e1fd3291c2

        SHA512

        ec086ad8bcaa923e2173956674be13a5ed1b048ba05427e79b309449dfd45df1ed99e06f74b1242d5b74d21afeb96f8ca6f25d0456fb83a96707f00254255dc8

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\upfof0zh\CSC44654972AA684549B9C8B4933562461.TMP
        Filesize

        1KB

        MD5

        e4ed0c884387f6306626e5b2c0b4a09b

        SHA1

        0c72697da3e6943a0b5d3680340a5dca3a7bb284

        SHA256

        3d73942e2bf82019edc698d604422fb827be0f256ba310426c9fbaaa541831fd

        SHA512

        2d1e5324831052fc1131772020b5da38c530e91094e9d83d9f660bcc607a1bc23eb371fa75e49e78e69e8f93f5ed4d00cbd046dcd15eabdcb92a61162d40c5b7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.0.cs
        Filesize

        3KB

        MD5

        b6823d54afabf958afeefb18571df6e2

        SHA1

        9565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4

        SHA256

        215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10

        SHA512

        9b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\upfof0zh\upfof0zh.cmdline
        Filesize

        312B

        MD5

        3194c0fa9773496e62661fbc69a2c8fe

        SHA1

        05d085a5cadab2c57d757f800e5b1697fdb671fe

        SHA256

        b134eecc318200f6de089343a8869eda10d91eb29c4f292bd359de56d4e8bf12

        SHA512

        658680d59f4a1e451e6678d0e12924ceb3b21466080ef00e34f55afc0e1e90c67114931d81b2e529a7f57b30002351eb1daf77b5d1e709ac951059e9e0e29619

        Download Submit
      • memory/1192-19-0x00000000058B0000-0x0000000005942000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1192-24-0x0000000005F10000-0x0000000005FA0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1192-1-0x0000000000E00000-0x0000000000E88000-memory.dmp
        Filesize

        544KB

        Download
      • memory/1192-17-0x00000000030E0000-0x00000000030E8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1192-0-0x000000007492E000-0x000000007492F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1192-20-0x0000000005E70000-0x0000000005F0A000-memory.dmp
        Filesize

        616KB

        Download
      • memory/1192-21-0x00000000057E0000-0x00000000057EC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1192-5-0x0000000074920000-0x00000000750D0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1192-25-0x0000000006040000-0x00000000060DC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1192-28-0x0000000074920000-0x00000000750D0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2248-26-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/2248-29-0x0000000074B12000-0x0000000074B13000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2248-30-0x0000000074B10000-0x00000000750C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2248-31-0x0000000074B10000-0x00000000750C1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2248-34-0x0000000074B10000-0x00000000750C1000-memory.dmp
        Filesize

        5.7MB

        Download