hawkeye_reborn | e842dbdc4b41d7516d87ccc21fa365b93c4c94ce5a75dc6f06321f90efa19e29

General

Target

PO.exe
Size

799KB
MD5

ef043796a61db70e27b06e3cfe7209f1
SHA1

c78610ce51f61ebcc647a057def65409de76590a
SHA256

e842dbdc4b41d7516d87ccc21fa365b93c4c94ce5a75dc6f06321f90efa19e29
SHA512

72aab86bf1f1e2c75edfb56ec3fb0bb26766cb762f2408e5ba4e8791194a0b87118187a0f5c72a15285f3e16150a8704f675764750b6feb648b044bcaec31e09

Score

10^/10

spyware keylogger trojan stealer hawkeye_reborn

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO.exeRegSvcs.exe

description	pid	process	target process
PID 2032 set thread context of 1280	2032	PO.exe	RegSvcs.exe
PID 1280 set thread context of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 set thread context of 1708	1280	RegSvcs.exe	vbc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1044 schtasks.exe
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO.exe

description pid process

Token: SeDebugPrivilege 2032 PO.exe

pid	process
1044	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2032	PO.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

PO.exeRegSvcs.exe

description	pid	process	target process
PID 2032 wrote to memory of 1044	2032	PO.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	PO.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	PO.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	PO.exe	schtasks.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1276	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 2032 wrote to memory of 1280	2032	PO.exe	RegSvcs.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 536	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe
PID 1280 wrote to memory of 1708	1280	RegSvcs.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO.exevbc.exe

pid process

2032 PO.exe
536 vbc.exe

pid	process
2032	PO.exe
536	vbc.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vpQgdie" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C85.tmp"
2⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC023.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB210.tmp"
3⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8C85.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC023.tmp

Download Submit
memory/536-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/536-6-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1280-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1280-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1280-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1708-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1708-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads