Analysis
-
max time kernel
61s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:41
General
-
Target
(ITBD)..exe
-
Size
638KB
-
MD5
61b91b3bb375436570df81e5d981e823
-
SHA1
9c4124467c4308afe1b79782f447ffc7d40cb50b
-
SHA256
3c0f1342da1381efcb02db88a6f0c2c5da6006288915b146684e5de5e4bd7a8b
-
SHA512
54f5e78631bcf5cb747889bb9044a8745e590aade7123526d50c6a591204442c1c282bfa51ef62fc0dc22aaf71c2719b8cc38f9505d5b9bfba7282922802aff9
Malware Config
Extracted
hawkeye_reborn
10.0.0.1
Protocol: smtp- Host:
mail.eagleeyeapparels.com - Port:
587 - Username:
faruq@eagleeyeapparels.com - Password:
eagle*qaz
f98d37f4-ca90-4ed7-9f6f-6121c4014605
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:faruq@eagleeyeapparels.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/916-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/2024-56-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-57-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-59-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-60-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-61-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-62-0x000000000048B39E-mapping.dmp
-
memory/2024-64-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-66-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2024-68-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB