Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
Bill of Lading 849393_PDF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Bill of Lading 849393_PDF.exe
Resource
win10v2004-20240508-en
General
-
Target
Bill of Lading 849393_PDF.exe
-
Size
1.2MB
-
MD5
73c2cd286f7fd036ddd063bc13625f52
-
SHA1
6b75d16f137ee336bed4c0bc04ce0a1edcfb735c
-
SHA256
1e2d1f6aa0d7209265b92faa2a4665d1906bffb20f2521134ef1fd6e87624b1a
-
SHA512
67d714d339f149499cf8c7df1814d0e2091ca1932b3c1fed43df810c6ff5a484c49b8d2eaa609568b353e3c6f2f0ffca55a37d30faf43bf43aa3d057f39eb035
-
SSDEEP
24576:IPJU+Pdx5J0XIcfkfvizNE5EbUR7tenbuuK:IPe+V6Rcfviz5bMeu
Malware Config
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/2288-7-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2288-9-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/2288-11-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2288-14-0x0000000000740000-0x00000000007B6000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2288-14-0x0000000000740000-0x00000000007B6000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/2288-14-0x0000000000740000-0x00000000007B6000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 2288 1716 Bill of Lading 849393_PDF.exe 28 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 Bill of Lading 849393_PDF.exe Token: SeDebugPrivilege 2288 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28 PID 1716 wrote to memory of 2288 1716 Bill of Lading 849393_PDF.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bill of Lading 849393_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Bill of Lading 849393_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-