Analysis Overview
SHA256
fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e
Threat Level: Known bad
The file fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
Drops startup file
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-01 04:27
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 04:27
Reported
2022-07-01 05:14
Platform
win7-20220414-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
HawkEye Reborn
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceEnroller.url | C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe
"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmp
memory/1724-55-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1724-57-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1724-62-0x000000000048B2BE-mapping.dmp
memory/1724-63-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1724-64-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1680-65-0x00000000027A0000-0x000000000282B000-memory.dmp
memory/1724-67-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/1724-68-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/1724-69-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/548-77-0x000000000048B2BE-mapping.dmp
memory/548-78-0x0000000000400000-0x0000000000490000-memory.dmp
memory/548-79-0x0000000000400000-0x0000000000490000-memory.dmp
memory/548-81-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/548-82-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/548-83-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/772-91-0x000000000048B2BE-mapping.dmp
memory/772-95-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/772-96-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/1268-104-0x000000000048B2BE-mapping.dmp
memory/1268-108-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/1268-109-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/816-117-0x000000000048B2BE-mapping.dmp
memory/816-121-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/816-122-0x0000000073B70000-0x000000007411B000-memory.dmp
memory/696-130-0x000000000048B2BE-mapping.dmp
memory/696-134-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/696-135-0x0000000073AF0000-0x000000007409B000-memory.dmp
memory/1236-143-0x000000000048B2BE-mapping.dmp
memory/1236-147-0x0000000073B70000-0x000000007411B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 04:27
Reported
2022-07-01 05:16
Platform
win10v2004-20220414-en
Max time kernel
172s
Max time network
184s
Command Line
Signatures
HawkEye Reborn
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceEnroller.url | C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe
"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 52.109.8.21:443 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| IE | 20.50.73.10:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| GB | 92.123.140.25:80 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/4068-130-0x0000000000000000-mapping.dmp
memory/4068-131-0x0000000000790000-0x0000000000820000-memory.dmp
memory/4004-136-0x0000000003F40000-0x0000000003FCB000-memory.dmp
memory/4068-137-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4068-138-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4068-139-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1296-140-0x0000000000000000-mapping.dmp
memory/1296-141-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 8faf48455ffc017246b08e89f6ba1956 |
| SHA1 | 2f6c39d9828b3f95dc050f52a38cd7d3f543baf8 |
| SHA256 | 9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35 |
| SHA512 | dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9 |
memory/1296-147-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1296-148-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/5000-149-0x0000000000000000-mapping.dmp
memory/5000-155-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/5000-156-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/3436-157-0x0000000000000000-mapping.dmp
memory/3436-158-0x0000000000750000-0x00000000007E0000-memory.dmp
memory/3436-163-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/3436-164-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/3436-165-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4164-166-0x0000000000000000-mapping.dmp
memory/4164-172-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4164-173-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1112-174-0x0000000000000000-mapping.dmp
memory/1112-175-0x0000000000350000-0x00000000003E0000-memory.dmp
memory/1112-180-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1112-181-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1112-182-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1104-183-0x0000000000000000-mapping.dmp
memory/1104-189-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/1104-190-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4160-191-0x0000000000000000-mapping.dmp
memory/4160-197-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4160-198-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4160-199-0x0000000073780000-0x0000000073D31000-memory.dmp
memory/4828-200-0x0000000000000000-mapping.dmp
memory/4828-206-0x0000000073780000-0x0000000073D31000-memory.dmp