hawkeye_reborn | a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332

General

Target

z7ZJdF1SfMKAp6L.exe
Size

397KB
MD5

e1939d61d59909862e2b058d96fe0789
SHA1

f95a110dee743c3d33aa737fbb164c7148c9248c
SHA256

a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
SHA512

58063d064a8cd919ef59e9a5d5989ffd615e6d1905291f84864a0684d45772abbbd19701251bd5790df7a28969229df219f8ac038033bab3f99250b475adc769

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

z7ZJdF1SfMKAp6L.exeMSBuild.exe

description	pid	process	target process
PID 1432 set thread context of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1844 set thread context of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 set thread context of 1940	1844	MSBuild.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1844 MSBuild.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com

pid	process
1844	MSBuild.exe

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

z7ZJdF1SfMKAp6L.exeMSBuild.exe

description	pid	process	target process
PID 1432 wrote to memory of 1796	1432	z7ZJdF1SfMKAp6L.exe	schtasks.exe
PID 1432 wrote to memory of 1796	1432	z7ZJdF1SfMKAp6L.exe	schtasks.exe
PID 1432 wrote to memory of 1796	1432	z7ZJdF1SfMKAp6L.exe	schtasks.exe
PID 1432 wrote to memory of 1796	1432	z7ZJdF1SfMKAp6L.exe	schtasks.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1432 wrote to memory of 1844	1432	z7ZJdF1SfMKAp6L.exe	MSBuild.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1548	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe
PID 1844 wrote to memory of 1940	1844	MSBuild.exe	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1844 MSBuild.exe
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1796 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1844 MSBuild.exe

pid	process
1844	MSBuild.exe

pid	process
1796	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1844	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\z7ZJdF1SfMKAp6L.exe
"C:\Users\Admin\AppData\Local\Temp\z7ZJdF1SfMKAp6L.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOtHXNw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ECF.tmp"
2⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC711.tmp"
3⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp"
3⤵
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7ECF.tmp

Download Submit
memory/1432-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1548-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1548-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1844-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1940-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads