hawkeye_reborn | dec757dc1c2b7722acf90fb43dac3e8e7052fa4c4a3c7c53126d93af5013ab2c

General

Target

INV1.exe
Size

2.4MB
MD5

0d4d52901a4cb69ba79e116f0db9de72
SHA1

47c90b1490f7b3523490794951f3fa79a4114c91
SHA256

dec757dc1c2b7722acf90fb43dac3e8e7052fa4c4a3c7c53126d93af5013ab2c
SHA512

9947dcd78c31ef1bfa0cdcf821179426b461d0706b967a50a43bb19e13cd73ccaccb7f6a041a9ce00585a9371984ed7ed0409dfae0041f5d875698210a930f76

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

INV1.exeRegAsm.exe

description	pid	process	target process
PID 1844 set thread context of 1864	1844	INV1.exe	RegAsm.exe
PID 1864 set thread context of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 set thread context of 1036	1864	RegAsm.exe	vbc.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1896 cmd.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1920 timeout.exe
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

INV1.exe

pid process

1844 INV1.exe
1844 INV1.exe
1844 INV1.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

INV1.exe

pid process

1844 INV1.exe
1844 INV1.exe
1844 INV1.exe

pid	process
1896	cmd.exe

pid	process
1920	timeout.exe

pid	process
1844	INV1.exe
1844	INV1.exe
1844	INV1.exe

pid	process
1844	INV1.exe
1844	INV1.exe
1844	INV1.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

INV1.execmd.exeRegAsm.exe

description	pid	process	target process
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1864	1844	INV1.exe	RegAsm.exe
PID 1844 wrote to memory of 1896	1844	INV1.exe	cmd.exe
PID 1844 wrote to memory of 1896	1844	INV1.exe	cmd.exe
PID 1844 wrote to memory of 1896	1844	INV1.exe	cmd.exe
PID 1844 wrote to memory of 1896	1844	INV1.exe	cmd.exe
PID 1896 wrote to memory of 1920	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 1920	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 1920	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 1920	1896	cmd.exe	timeout.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1280	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe
PID 1864 wrote to memory of 1036	1864	RegAsm.exe	vbc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

INV1.exe

pid process

1844 INV1.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1280 vbc.exe
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1844	INV1.exe

pid	process
1280	vbc.exe

Drops startup file 1 IoCs

Processes:

INV1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppVFileSystemMetadata.url	INV1.exe

C:\Users\Admin\AppData\Local\Temp\INV1.exe
"C:\Users\Admin\AppData\Local\Temp\INV1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Drops startup file
PID:1844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2F68.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2175.tmp"
3⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\INV1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\timeout.exe
TimeOut 1
3⤵
- Delays execution with timeout.exe
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F68.tmp

Download Submit
memory/1036-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1036-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-4-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1280-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1864-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1864-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1864-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads