Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ec4f09f82d...d3.exe
windows10-2004-x64
10efd97b1038...ea4.js
windows10-2004-x64
3emotet_exe...04.exe
windows10-2004-x64
10emotet_exe...23.exe
windows10-2004-x64
10eupdate.exe
windows10-2004-x64
7f4f47c67be...3f.exe
windows10-2004-x64
10fb5d110ced...9c.exe
windows10-2004-x64
6fee15285c3...35.exe
windows10-2004-x64
10file(1).exe
windows10-2004-x64
1file.exe
windows10-2004-x64
7gjMEi6eG.exe
windows10-2004-x64
10good.exe
windows10-2004-x64
10hyundai st...1).exe
windows10-2004-x64
10hyundai st...10.exe
windows10-2004-x64
10infected d...er.exe
windows10-2004-x64
10inps_979.xls
windows10-2004-x64
1jar.jar
windows10-2004-x64
10june9.dll
windows10-2004-x64
10mouse_2.exe
windows10-2004-x64
10oof.exe
windows10-2004-x64
3openme.exe
windows10-2004-x64
10ou55sg33s_1.exe
windows10-2004-x64
10senate.dll
windows10-2004-x64
10starticon3.exe
windows10-2004-x64
10str.dll
windows10-2004-x64
10svchost.exe
windows10-2004-x64
10update.exe
windows10-2004-x64
10vir1.xlsx
windows10-2004-x64
1wwf[1].exe
windows10-2004-x64
10xNet.dll
windows10-2004-x64
1전산 및...��.exe
windows10-2004-x64
10전산 및...�1.exe
windows10-2004-x64
10Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
eupdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
file(1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
gjMEi6eG.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
good.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
hyundai steel-pipe- job 8010(1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
hyundai steel-pipe- job 8010.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
infected dot net installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
inps_979.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
jar.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
june9.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
mouse_2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
oof.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
openme.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
ou55sg33s_1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
senate.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
starticon3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
str.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
svchost.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
update.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
vir1.xlsx
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
wwf[1].exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
xNet.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
Resource
win10v2004-20241007-en
General
-
Target
hyundai steel-pipe- job 8010(1).exe
-
Size
721KB
-
MD5
0999a03694a1c97a43ac0de89cbf355e
-
SHA1
0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d
-
SHA256
8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b
-
SHA512
6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9
-
SSDEEP
12288:wdnX6tet6u5CB6m6FQgsPQCjyEtbK7DSQDnwjAR7EOP9uSlcC3ro:QXUim6m6FyPJzcQjNSuYro
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
castor123@
245f77ec-c812-48df-870b-886d22992db6
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Hawkeye_reborn family
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nd3v_logger family
-
resource yara_rule behavioral13/memory/3632-4-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hyundai steel-pipe- job 8010(1).exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hyundai steel-pipe- job 8010(1).exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hyundai steel-pipe- job 8010(1).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3620 set thread context of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyundai steel-pipe- job 8010(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyundai steel-pipe- job 8010(1).exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3620 hyundai steel-pipe- job 8010(1).exe 3632 hyundai steel-pipe- job 8010(1).exe 3632 hyundai steel-pipe- job 8010(1).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3620 hyundai steel-pipe- job 8010(1).exe Token: SeDebugPrivilege 3632 hyundai steel-pipe- job 8010(1).exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3632 hyundai steel-pipe- job 8010(1).exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 PID 3620 wrote to memory of 3632 3620 hyundai steel-pipe- job 8010(1).exe 81 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hyundai steel-pipe- job 8010(1).exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hyundai steel-pipe- job 8010(1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010(1).exe.log
Filesize667B
MD5fad44290d2f569240416a287677a6b34
SHA10799266664e37852987cc24398f9a70c7e56742b
SHA256e955c99499359471526e95c22a084d1578997c39ecab988badf6798cfbd995b0
SHA512ee4136ac147d41646368eeb16390598c1da2b9e3bb8331b43062a72e4ad1d05eec56dcc727f9b5b447756c3edc855b08ef0c241073a5f88e749714f2beb98bc3