hawkeye_reborn | 0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb

Analysis

max time kernel
106s
max time network
110s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
Size

848KB
MD5

37e9e02c9e17bd27ed78d1196c7ac0b1
SHA1

0aaa5b234cb68f6008bcc10e0657c6442aea6ff8
SHA256

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb
SHA512

8b1939f55f37e42b3dd71a2eb9261d26e9be237a3feba907c019afcda7e1582caa6626942360427cf83798338723d82d4a198ca22a336e445c76084ed30988ae

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1980-68-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1980-70-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1980-72-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1980-74-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1980-77-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1980-81-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

description	pid	process	target process
PID 992 set thread context of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

640 schtasks.exe

pid	process
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

pid	process
992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

description pid process

Token: SeDebugPrivilege 992 0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

description	pid	process
Token: SeDebugPrivilege	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

description	pid	process	target process
PID 992 wrote to memory of 640	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	schtasks.exe
PID 992 wrote to memory of 640	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	schtasks.exe
PID 992 wrote to memory of 640	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	schtasks.exe
PID 992 wrote to memory of 640	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	schtasks.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
PID 992 wrote to memory of 1980	992	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe	0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe

C:\Users\Admin\AppData\Local\Temp\0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
"C:\Users\Admin\AppData\Local\Temp\0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "RCAPWJG\RCAPWJG" /XML "C:\Users\Admin\AppData\Roaming\RCAPWJG\alllll.xml"
2⤵
- Creates scheduled task(s)
PID:640

C:\Users\Admin\AppData\Local\Temp\0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe
"C:\Users\Admin\AppData\Local\Temp\0dabe9e919df479a7dde262aaf05c62c5242166c5fffa9a39603f79cc05684bb.exe"
2⤵
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RCAPWJG\alllll.xml

Filesize
1KB

MD5
f07eeadd4e40e28b5e64f33719a8d218

SHA1
5d12a607fd1b70ca0328b9ed38828a765eb78ac5

SHA256
0874d4dafca95ab61e8a40d38ba133475af260112f96215f1f31c5383013d673

SHA512
e0f33b92d98ebb05537dd773199e1fb0b5a92867b1290bbbd7fa4964a2f99862bcd96fba28bc188828afe9b9228967a1ae74ac496608858e34aab9e38e0c1387

Download Submit
memory/640-60-0x0000000000000000-mapping.dmp

Download
memory/992-57-0x0000000073DE0000-0x000000007457C000-memory.dmp

Filesize
7.6MB

Download
memory/992-76-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/992-58-0x0000000073C50000-0x0000000073DD8000-memory.dmp

Filesize
1.5MB

Download
memory/992-59-0x0000000072050000-0x0000000072C2E000-memory.dmp

Filesize
11.9MB

Download
memory/992-56-0x0000000072C30000-0x0000000073728000-memory.dmp

Filesize
11.0MB

Download
memory/992-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/992-62-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/992-63-0x0000000072C30000-0x0000000073728000-memory.dmp

Filesize
11.0MB

Download
memory/992-64-0x0000000073DE0000-0x000000007457C000-memory.dmp

Filesize
7.6MB

Download
memory/992-80-0x0000000073DE0000-0x000000007457C000-memory.dmp

Filesize
7.6MB

Download
memory/992-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/992-78-0x0000000072C30000-0x0000000073728000-memory.dmp

Filesize
11.0MB

Download
memory/1980-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-88-0x00000000737E0000-0x000000007397B000-memory.dmp

Filesize
1.6MB

Download
memory/1980-74-0x000000000048B1CE-mapping.dmp

Download
memory/1980-70-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-68-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-77-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-65-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-83-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-84-0x0000000072130000-0x0000000072C28000-memory.dmp

Filesize
11.0MB

Download
memory/1980-85-0x0000000073D50000-0x00000000744EC000-memory.dmp

Filesize
7.6MB

Download
memory/1980-86-0x0000000073BC0000-0x0000000073D48000-memory.dmp

Filesize
1.5MB

Download
memory/1980-87-0x0000000071550000-0x000000007212E000-memory.dmp

Filesize
11.9MB

Download
memory/1980-72-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1980-89-0x0000000073620000-0x0000000073724000-memory.dmp

Filesize
1.0MB

Download
memory/1980-90-0x00000000733C0000-0x00000000734B1000-memory.dmp

Filesize
964KB

Download
memory/1980-91-0x0000000072E80000-0x00000000733B6000-memory.dmp

Filesize
5.2MB

Download
memory/1980-92-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-93-0x0000000072130000-0x0000000072C28000-memory.dmp

Filesize
11.0MB

Download
memory/1980-94-0x0000000073D50000-0x00000000744EC000-memory.dmp

Filesize
7.6MB

Download
memory/1980-95-0x0000000071550000-0x000000007212E000-memory.dmp

Filesize
11.9MB

Download
memory/1980-96-0x00000000737E0000-0x000000007397B000-memory.dmp

Filesize
1.6MB

Download
memory/1980-97-0x0000000072130000-0x0000000072C28000-memory.dmp

Filesize
11.0MB

Download
memory/1980-98-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-99-0x0000000073D50000-0x00000000744EC000-memory.dmp

Filesize
7.6MB

Download
memory/1980-100-0x0000000071550000-0x000000007212E000-memory.dmp

Filesize
11.9MB

Download