hawkeye_reborn | 1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

General

Target

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
Size

1.2MB
MD5

11b31d746ace8a0aa682487826a66989
SHA1

2fbdd90396474cb90ab2c2917a7c351864c30b2f
SHA256

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822
SHA512

d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Score

10^/10

hawkeye_reborn m00nd3v_logger nanocore evasion infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe	m00nd3v_logger
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe	m00nd3v_logger

Executes dropped EXE 3 IoCs

Processes:

harry stub (1).exetaskhostmgr.scrtaskhostmgr.scr

pid process

1972 harry stub (1).exe
1708 taskhostmgr.scr
2840 taskhostmgr.scr

pid	process
1972	harry stub (1).exe
1708	taskhostmgr.scr
2840	taskhostmgr.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exetaskhostmgr.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostmgr.scr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\taskhostmgr.vbs -cc"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe"	taskhostmgr.scr
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

taskhostmgr.scr

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostmgr.scr
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

taskhostmgr.scr

description pid process target process

PID 1708 set thread context of 2840 1708 taskhostmgr.scr taskhostmgr.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostmgr.scr

flow	ioc
31	bot.whatismyipaddress.com

description	pid	process	target process
PID 1708 set thread context of 2840	1708	taskhostmgr.scr	taskhostmgr.scr

Drops file in Program Files directory 2 IoCs

Processes:

taskhostmgr.scr

description	ioc	process
File created	C:\Program Files (x86)\WPA Service\wpasv.exe	taskhostmgr.scr
File opened for modification	C:\Program Files (x86)\WPA Service\wpasv.exe	taskhostmgr.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4044 schtasks.exe
4376 schtasks.exe

pid	process
4044	schtasks.exe
4376	schtasks.exe

Modifies registry class 1 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhostmgr.scr

pid process

2840 taskhostmgr.scr
2840 taskhostmgr.scr
2840 taskhostmgr.scr
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostmgr.scr

pid process

2840 taskhostmgr.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskhostmgr.scr

description pid process

Token: SeDebugPrivilege 2840 taskhostmgr.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exetaskhostmgr.scr

pid process

3920 1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
1708 taskhostmgr.scr

pid	process
2840	taskhostmgr.scr
2840	taskhostmgr.scr
2840	taskhostmgr.scr

pid	process
2840	taskhostmgr.scr

description	pid	process
Token: SeDebugPrivilege	2840	taskhostmgr.scr

pid	process
3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
1708	taskhostmgr.scr

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exetaskhostmgr.scrtaskhostmgr.scr

description	pid	process	target process
PID 3920 wrote to memory of 1972	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 3920 wrote to memory of 1972	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 3920 wrote to memory of 1972	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	harry stub (1).exe
PID 3920 wrote to memory of 5104	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 3920 wrote to memory of 5104	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 3920 wrote to memory of 5104	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	WScript.exe
PID 3920 wrote to memory of 1708	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 3920 wrote to memory of 1708	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 3920 wrote to memory of 1708	3920	1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe	taskhostmgr.scr
PID 1708 wrote to memory of 2840	1708	taskhostmgr.scr	taskhostmgr.scr
PID 1708 wrote to memory of 2840	1708	taskhostmgr.scr	taskhostmgr.scr
PID 1708 wrote to memory of 2840	1708	taskhostmgr.scr	taskhostmgr.scr
PID 2840 wrote to memory of 4044	2840	taskhostmgr.scr	schtasks.exe
PID 2840 wrote to memory of 4044	2840	taskhostmgr.scr	schtasks.exe
PID 2840 wrote to memory of 4044	2840	taskhostmgr.scr	schtasks.exe
PID 2840 wrote to memory of 4376	2840	taskhostmgr.scr	schtasks.exe
PID 2840 wrote to memory of 4376	2840	taskhostmgr.scr	schtasks.exe
PID 2840 wrote to memory of 4376	2840	taskhostmgr.scr	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe
"C:\Users\Admin\AppData\Local\Temp\1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
"C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs"
2⤵
- Adds Run key to start application
PID:5104

C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
"C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr" /S
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp"
4⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp"
4⤵
- Creates scheduled task(s)
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
Filesize
552KB

MD5
4f499ad76962f899126bbc1994865e61

SHA1
f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

SHA256
d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

SHA512
28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\harry stub (1).exe
Filesize
552KB

MD5
4f499ad76962f899126bbc1994865e61

SHA1
f0b47d86e07cdc0732e34bf26bbcb89c71322d5d

SHA256
d17c43247cb97dfe541e3f23fc0240d94cbf7f682b7950e0b8c8a5105495306e

SHA512
28d798db210ed97560a1271703553f345c035334f50c1f150924d12ff2a8e1142dbbb5aa8b3fb685daf898154056a7f6505cc89752f840c4dc8b464eec0aa5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.scr
Filesize
1.2MB

MD5
11b31d746ace8a0aa682487826a66989

SHA1
2fbdd90396474cb90ab2c2917a7c351864c30b2f

SHA256
1759f99b188e1dc36e26583447e3b9a3415a293305d1b4dbbbc40fb66b00f822

SHA512
d447e9007f72984079dced9ab391d1fc33722e3fbb94f8ebcb95916105ab189f40c22395b20cf153e748887f1edb5396e5c10dff47a0606e52594e69f5ecaf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\taskhostmgr.vbs
Filesize
1024B

MD5
315c21d8d5a53bd1bb3aac14f2a45ef1

SHA1
b8d57d57a867055deda56e9c77ad1faf4aa96d9b

SHA256
ab70cc3058e7739d9a9f594b5debccabf3f6fbe62933c89f0cab7539757ce58c

SHA512
d94ce0cd65116cf7af2675ac6a6943d5aca6e9e7d91231d323a5fbed14d0fd349beeec84d651f12bd1a12c3778e4fc35fe95a8185d6bb22f25114812a30b70a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp
Filesize
1KB

MD5
86d958ad87d58d41c1ce56c412dd81b1

SHA1
a8dd3abe055b7ce28c3e3c8c6de9cbea08b832bf

SHA256
0aa4236b808d86158cb993b8b1e125704fd66c123eae467da415bfcd6d94f7a1

SHA512
857bd01e7888e1dbb01cce7b97be3227baf45d43ad6c554d58a867ace6f0c0bf984aaf46dd8b986bd0bcef4f3e29cba29e11ea0fc30cfe1904a849309d9ccd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp
Filesize
1KB

MD5
21de6c3a6440d917bdbb4b491191d9b2

SHA1
c63c300affe7147910dc4544d2d5f3029bf321a6

SHA256
23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4

SHA512
dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

Download Submit
memory/1708-149-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/1708-138-0x0000000000000000-mapping.dmp

Download
memory/1972-146-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1972-150-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1972-145-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/1972-134-0x0000000000000000-mapping.dmp

Download
memory/2840-155-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2840-161-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2840-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-153-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/2840-154-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/2840-160-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/2840-147-0x0000000000000000-mapping.dmp

Download
memory/3920-140-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/3920-132-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download
memory/3920-133-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/4044-156-0x0000000000000000-mapping.dmp

Download
memory/4376-158-0x0000000000000000-mapping.dmp

Download
memory/5104-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads