hawkeye_reborn | 1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

Analysis

max time kernel
125s
max time network
139s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-06-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
Size

1.2MB
MD5

11b31d746ace8a0aa682487826a66989
SHA1

2fbdd90396474cb90ab2c2917a7c351864c30b2f
SHA256

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822
SHA512

d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Score

10^/10

hawkeye_reborn m00nd3v_logger nanocore evasion infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

M00nD3v Logger Payload 3 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\harry stub (1).exe	m00nd3v_logger
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe	m00nd3v_logger
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe	m00nd3v_logger

Executes dropped EXE 3 IoCs

Processes:

harry stub (1).exetaskhostmgr.scrtaskhostmgr.scr

pid process

1532 harry stub (1).exe
612 taskhostmgr.scr
832 taskhostmgr.scr

pid	process
1532	harry stub (1).exe
612	taskhostmgr.scr
832	taskhostmgr.scr

Loads dropped DLL 4 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exetaskhostmgr.scr

pid	process
1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
612	taskhostmgr.scr

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exetaskhostmgr.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostmgr.scr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\taskhostmgr.vbs -cc"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	taskhostmgr.scr

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

taskhostmgr.scr

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostmgr.scr
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

taskhostmgr.scr

description pid process target process

PID 612 set thread context of 832 612 taskhostmgr.scr taskhostmgr.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostmgr.scr

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 612 set thread context of 832	612	taskhostmgr.scr	taskhostmgr.scr

Drops file in Program Files directory 2 IoCs

Processes:

taskhostmgr.scr

description	ioc	process
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	taskhostmgr.scr
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	taskhostmgr.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1644 schtasks.exe
2016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

taskhostmgr.scr

pid process

832 taskhostmgr.scr
832 taskhostmgr.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskhostmgr.scr

description pid process

Token: SeDebugPrivilege 832 taskhostmgr.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exetaskhostmgr.scr

pid process

1240 1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
612 taskhostmgr.scr
Suspicious use of UnmapMainImage 1 IoCs

Processes:

taskhostmgr.scr

pid process

832 taskhostmgr.scr

pid	process
1644	schtasks.exe
2016	schtasks.exe

pid	process
832	taskhostmgr.scr
832	taskhostmgr.scr

description	pid	process
Token: SeDebugPrivilege	832	taskhostmgr.scr

pid	process
832	taskhostmgr.scr

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exetaskhostmgr.scrtaskhostmgr.scr

description	pid	process	target process
PID 1240 wrote to memory of 1532	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 1240 wrote to memory of 1532	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 1240 wrote to memory of 1532	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 1240 wrote to memory of 1532	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 1240 wrote to memory of 1376	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 1240 wrote to memory of 1376	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 1240 wrote to memory of 1376	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 1240 wrote to memory of 1376	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 1240 wrote to memory of 612	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 1240 wrote to memory of 612	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 1240 wrote to memory of 612	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 1240 wrote to memory of 612	1240	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 612 wrote to memory of 832	612	taskhostmgr.scr	taskhostmgr.scr
PID 612 wrote to memory of 832	612	taskhostmgr.scr	taskhostmgr.scr
PID 612 wrote to memory of 832	612	taskhostmgr.scr	taskhostmgr.scr
PID 612 wrote to memory of 832	612	taskhostmgr.scr	taskhostmgr.scr
PID 832 wrote to memory of 1644	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 1644	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 1644	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 1644	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 2016	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 2016	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 2016	832	taskhostmgr.scr	schtasks.exe
PID 832 wrote to memory of 2016	832	taskhostmgr.scr	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
"C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
"C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe"
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs"
2⤵
- Adds Run key to start application
PID:1376

C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
"C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98A8.tmp"
4⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C80.tmp"
4⤵
- Creates scheduled task(s)
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
Filesize
552KB

MD5
4f499ad76962f899126bbc1994865e61

SHA1
f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

SHA256
d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

SHA512
28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
Filesize
552KB

MD5
4f499ad76962f899126bbc1994865e61

SHA1
f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

SHA256
d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

SHA512
28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs
Filesize
1024B

MD5
315c21d8d5a53bd1bb3aac14f2a45ef1

SHA1
b8d57d57a867055deda56e9c77ad1faf4aa96d9b

SHA256
ab70cc3058e7739d9a9f594b5debccabf3f6fbe62933c89f0cab7539757ce58c

SHA512
d94ce0cd65116cf7af2675ac6a6943d5aca6e9e7d91231d323a5fbed14d0fd349beeec84d651f12bd1a12c3778e4fc35fe95a8185d6bb22f25114812a30b70a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98A8.tmp
Filesize
1KB

MD5
86d958ad87d58d41c1ce56c412dd81b1

SHA1
a8dd3abe055b7ce28c3e3c8c6de9cbea08b832bf

SHA256
0aa4236b808d86158cb993b8b1e125704fd66c123eae467da415bfcd6d94f7a1

SHA512
857bd01e7888e1dbb01cce7b97be3227baf45d43ad6c554d58a867ace6f0c0bf984aaf46dd8b986bd0bcef4f3e29cba29e11ea0fc30cfe1904a849309d9ccd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C80.tmp
Filesize
1KB

MD5
afb71a33ece3758f782f052bbe5da94f

SHA1
e69b9070ff52f81fdf01a40f775d021e4b4e71e4

SHA256
abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978

SHA512
22c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f

Download Submit
\Users\Admin\AppData\Local\Temp\harry stub (1).exe
Filesize
552KB

MD5
4f499ad76962f899126bbc1994865e61

SHA1
f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

SHA256
d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

SHA512
28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
memory/612-66-0x0000000000000000-mapping.dmp

Download
memory/612-79-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/612-81-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/832-87-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/832-97-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/832-96-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/832-90-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/832-89-0x0000000008860000-0x0000000009358000-memory.dmp

Filesize
11.0MB

Download
memory/832-80-0x00000000005219E5-mapping.dmp

Download
memory/832-95-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/832-88-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/832-85-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1240-56-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1240-57-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1240-70-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/1240-58-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/1376-63-0x0000000000000000-mapping.dmp

Download
memory/1532-83-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-60-0x0000000000000000-mapping.dmp

Download
memory/1532-75-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-74-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-91-0x0000000000000000-mapping.dmp

Download
memory/2016-93-0x0000000000000000-mapping.dmp

Download