hawkeye_reborn | 18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c

General

Target

18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
Size

780KB
MD5

019a382b39aab63505bc3a03b46a91c3
SHA1

589989f06ac303cc88d1dc3f5478976894aa7ed3
SHA256

18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c
SHA512

b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/3556-141-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdobeAcrobat18.exeAdobeAcrobat18.exe

pid process

100 AdobeAcrobat18.exe
3556 AdobeAcrobat18.exe

pid	process
100	AdobeAcrobat18.exe
3556	AdobeAcrobat18.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AdobeAcrobat18.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat 18 = "C:\\Users\\Admin\\AppData\\Local\\AdobeAcrobat18.exe -boot"	AdobeAcrobat18.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

AdobeAcrobat18.exeAdobeAcrobat18.exe

description	pid	process	target process
PID 100 set thread context of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 3556 set thread context of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 set thread context of 4772	3556	AdobeAcrobat18.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exeAdobeAcrobat18.exe

pid	process
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3136	vbc.exe
3556	AdobeAcrobat18.exe
3556	AdobeAcrobat18.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exeAdobeAcrobat18.exeAdobeAcrobat18.exe

description	pid	process
Token: SeDebugPrivilege	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
Token: SeDebugPrivilege	100	AdobeAcrobat18.exe
Token: SeDebugPrivilege	3556	AdobeAcrobat18.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AdobeAcrobat18.exe

pid process

3556 AdobeAcrobat18.exe

pid	process
3556	AdobeAcrobat18.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exeexplorer.exeAdobeAcrobat18.exeAdobeAcrobat18.exe

description	pid	process	target process
PID 1684 wrote to memory of 1712	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	cmd.exe
PID 1684 wrote to memory of 1712	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	cmd.exe
PID 1684 wrote to memory of 1712	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	cmd.exe
PID 1684 wrote to memory of 2340	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	explorer.exe
PID 1684 wrote to memory of 2340	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	explorer.exe
PID 1684 wrote to memory of 2340	1684	18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe	explorer.exe
PID 2036 wrote to memory of 100	2036	explorer.exe	AdobeAcrobat18.exe
PID 2036 wrote to memory of 100	2036	explorer.exe	AdobeAcrobat18.exe
PID 2036 wrote to memory of 100	2036	explorer.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 100 wrote to memory of 3556	100	AdobeAcrobat18.exe	AdobeAcrobat18.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 3136	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe
PID 3556 wrote to memory of 4772	3556	AdobeAcrobat18.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe
"C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c.exe" "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
2⤵
PID:2340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
"C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB43D.tmp"
4⤵
- Accesses Microsoft Outlook accounts
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
Filesize
780KB

MD5
019a382b39aab63505bc3a03b46a91c3

SHA1
589989f06ac303cc88d1dc3f5478976894aa7ed3

SHA256
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c

SHA512
b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a

Download Submit
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
Filesize
780KB

MD5
019a382b39aab63505bc3a03b46a91c3

SHA1
589989f06ac303cc88d1dc3f5478976894aa7ed3

SHA256
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c

SHA512
b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a

Download Submit
C:\Users\Admin\AppData\Local\AdobeAcrobat18.exe
Filesize
780KB

MD5
019a382b39aab63505bc3a03b46a91c3

SHA1
589989f06ac303cc88d1dc3f5478976894aa7ed3

SHA256
18c9c79af4ab40c95b609b7d2bdb5fbba7f18ca875941ccce16e71e99cf7604c

SHA512
b529266464fdfe08525ceaea14717be400f8ad070e95ca6abe59bdcedac090dbb945174310a7c7416c4ddc9a45dac5c82415eef65eee12eb9711c4f85854ad4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdobeAcrobat18.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp
Filesize
4KB

MD5
bdf65f70610625cc771c5cc7ce168c7d

SHA1
a8829b1c071ed0521d11925a98468c12a53a03b8

SHA256
b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5

SHA512
add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4

Download Submit
memory/100-137-0x0000000000000000-mapping.dmp

Download
memory/100-139-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/1684-133-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/1684-130-0x0000000000190000-0x000000000025C000-memory.dmp

Filesize
816KB

Download
memory/1684-132-0x00000000074F0000-0x0000000007582000-memory.dmp

Filesize
584KB

Download
memory/1684-131-0x0000000007A00000-0x0000000007FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1712-134-0x0000000000000000-mapping.dmp

Download
memory/2340-135-0x0000000000000000-mapping.dmp

Download
memory/3136-145-0x0000000000000000-mapping.dmp

Download
memory/3136-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3136-148-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3136-149-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3556-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3556-140-0x0000000000000000-mapping.dmp

Download
memory/3556-144-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/4772-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4772-151-0x0000000000000000-mapping.dmp

Download
memory/4772-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4772-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads