Overview

overview

10

Static

static

5

ee9a1d78f2...4b.exe

windows7_x64

10

ee9a1d78f2...4b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee9a1d78f2e0d7d33d7ca9cdffcdc8bc55cff875ec1d3a969803b373c502824b.exe

  • Size

    2.0MB

  • MD5

    0def4e4fe77fc4499d9ade8db0f9c82a

  • SHA1

    29e2459ce9aa0767b84e9efe70913559d606d5d1

  • SHA256

    ee9a1d78f2e0d7d33d7ca9cdffcdc8bc55cff875ec1d3a969803b373c502824b

  • SHA512

    87ec521cd5f94eb10cf7283be15a3c0bff285ad5b870643e81dac3fdd2fea3b3d078d2619dbee906c235a892f47522cfed220bbfe953ef1aa31b297b2853902e

Score
10/10
hawkeye_rebornkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

  • Protocol:     smtp
  • Host:
    mail.ancopottary.com
  • Port:
    587
  • Username:
    royalgrace@ancopottary.com
  • Password:
    niconpay$
Mutex

c5a6e58d-97f5-486b-ab80-4e435504662a

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:true _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:niconpay$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.ancopottary.com _EmailUsername:royalgrace@ancopottary.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:c5a6e58d-97f5-486b-ab80-4e435504662a _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee9a1d78f2e0d7d33d7ca9cdffcdc8bc55cff875ec1d3a969803b373c502824b.exe
    "C:\Users\Admin\AppData\Local\Temp\ee9a1d78f2e0d7d33d7ca9cdffcdc8bc55cff875ec1d3a969803b373c502824b.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1892
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1244
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1560
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1456
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1400
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Sets file execution options in registry
      PID:1696
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
        PID:1020

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1020-147-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1020-143-0x000000000048B2BE-mapping.dmp
      Download
    • memory/1244-72-0x0000000000090000-0x0000000000120000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1244-82-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1244-81-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1244-79-0x0000000000090000-0x0000000000120000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1244-78-0x0000000000090000-0x0000000000120000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1244-77-0x000000000011B2BE-mapping.dmp
      Download
    • memory/1260-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1260-66-0x0000000000370000-0x00000000003FB000-memory.dmp
      Filesize

      556KB

      Download
    • memory/1400-121-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1400-117-0x000000000048B2BE-mapping.dmp
      Download
    • memory/1400-122-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1456-106-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1456-108-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1456-109-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1456-104-0x000000000048B2BE-mapping.dmp
      Download
    • memory/1456-105-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1560-90-0x000000000048B2BE-mapping.dmp
      Download
    • memory/1560-95-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1560-94-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1560-96-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1696-130-0x000000000011B2BE-mapping.dmp
      Download
    • memory/1696-135-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1696-134-0x0000000074080000-0x000000007462B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1892-69-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1892-63-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1892-62-0x000000000048B2BE-mapping.dmp
      Download
    • memory/1892-64-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1892-67-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1892-68-0x0000000074090000-0x000000007463B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1892-57-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1892-55-0x0000000000400000-0x0000000000490000-memory.dmp
      Filesize

      576KB

      Download