Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-PDF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
PAYMENT-PDF.exe
Resource
win10v2004-20240426-en
General
-
Target
PAYMENT-PDF.exe
-
Size
518KB
-
MD5
d8b7335d7669b24ddb9b239953f0d7a7
-
SHA1
f119bea19f892adc161a0ebb15ffbcc8150cc3c5
-
SHA256
39a4ec5ad4a36ea2d1be630d203942fc63badf94dcdb1384fb8a9e88431c92d9
-
SHA512
96c2ef1da4c5c1f55c17cadd46959a0ec8c0d9ddc947ac2c5c85fb9a3910d76436079ce2ed739c4f27f5d54cd8d1776670aeea305061fc43a046c92ebfbe515e
-
SSDEEP
12288:mEtjkdhUeFE6ySHS+aoISuYZ0kaJWIkkQNvnr5de:mDZE6hSDoISnqkAvQNvnr5g
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2176-23-0x00000000052E0000-0x0000000005370000-memory.dmp m00nd3v_logger behavioral1/memory/2656-27-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2656-30-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2656-32-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2656-34-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2656-26-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jVoSSi.url PAYMENT-PDF.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2176 set thread context of 2656 2176 PAYMENT-PDF.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 PAYMENT-PDF.exe 2176 PAYMENT-PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2176 PAYMENT-PDF.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1780 2176 PAYMENT-PDF.exe 28 PID 2176 wrote to memory of 1780 2176 PAYMENT-PDF.exe 28 PID 2176 wrote to memory of 1780 2176 PAYMENT-PDF.exe 28 PID 2176 wrote to memory of 1780 2176 PAYMENT-PDF.exe 28 PID 1780 wrote to memory of 2332 1780 csc.exe 30 PID 1780 wrote to memory of 2332 1780 csc.exe 30 PID 1780 wrote to memory of 2332 1780 csc.exe 30 PID 1780 wrote to memory of 2332 1780 csc.exe 30 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31 PID 2176 wrote to memory of 2656 2176 PAYMENT-PDF.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT-PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzleoa4c\dzleoa4c.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3350.tmp" "c:\Users\Admin\AppData\Local\Temp\dzleoa4c\CSC995713171C754040BF9B48678788B076.TMP"3⤵PID:2332
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2656
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f411e2c6f75a4354bda001964200ce05
SHA173954bf93289c57fdbc3c654e2cf096d83f82054
SHA256a3968fb6375f033087aa605913088d5c0672e9d7ba86be122964e858253ed71c
SHA51253d5416d1af411f029e267efadf6e754cf7348f07c2fe71ae96ef1cf9c96e2a51ed731fef692ad12d144682863fe918307207ed53d6fa6da725d09444ae8ec78
-
Filesize
6KB
MD5d2cb9b04a004791417af2df04acde18c
SHA15f239875ba44b6d0f45e2bb449ec735d06cc2f00
SHA2566d1b143b47ddcdc93eacd4e0c49fc25dd6bdf7aa606bbfbceaa66e73b9f3b62a
SHA512ad69f92bd162c567a0b4a8663f9a650f09f2275e06af453c69bcafd4fb52a8df9fb5f24fec0e2a2e978773c824ab63ae24227c8e30ebaceacab868cb333bda21
-
Filesize
17KB
MD5dee37c9aaf604d9efb6dece2078a966a
SHA1e85fa108edea0336945c11f8362b17c7cd669015
SHA256c74f6d3043ebb16efc65130b5a7547d5ba5b7fba429deb6992e75e8f740fec8a
SHA512b1fbb6cdcd2168613ce34af715e0c9ac4a285929a8e9b01e98b694977822d70576444b5079acc101bc9a5474899d73190e8038347b6075ba59d9a4b521bf17ce
-
Filesize
1KB
MD5072c4564ceda062e6fe3dcbabd8cc2e6
SHA134bbc4c0324bd59e4e34cff4fa8106dfdd4a9ad2
SHA2568ad26c3dfcb23b1352db94a83536f52de3e847117a926dc04d45025b26a58032
SHA5129a44aab6ecc6f461dd3652c1a20060a8ac6b338bd963cb63841c09d1db6486ad2b5667aaae0196134e1a41f4f8cedc7cbf53e450fa017ee53f4c62817522016a
-
Filesize
3KB
MD5b6823d54afabf958afeefb18571df6e2
SHA19565aaf3eb244d657951d7a4f6bcdecf2b5bd2b4
SHA256215489b46857eb0ffa39c0bc87f61944b6fb14d4fecc628db6e57d9e0eb27a10
SHA5129b111ff86b7e36cc52750aad546e6c2c71e8ac90ae327880dc8666a749370312d1d2be34da3d24c5161a569c6452754248e3b8fbfecb2a25b9063237ac08c318
-
Filesize
312B
MD5fca70a73ebe813bfa889e4540fbc3e56
SHA135b0dadcf47fe9d14da6dd34d445ed2b7bc23367
SHA256e1265adec5200b8a168e43ae756af6dc4a31840c2cf05e89ca9dc4b766cc5fa6
SHA512ee2203e381afe9a8d60f80a1571ace667166243e1094484884316575699c510615d53cade576c122b745f060f490d4f967d7547ce79f2af0d7203394146e16ee