Analysis Overview
SHA256
8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d
Threat Level: Known bad
The file 8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
Modifies WinLogon for persistence
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 04:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 04:01
Reported
2022-07-01 04:47
Platform
win7-20220414-en
Max time kernel
150s
Max time network
45s
Command Line
Signatures
HawkEye Reborn
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Z4ymm3ispc7E855J\\JCxrUYH1X56e.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1544 set thread context of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"
C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"
C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"
Network
Files
memory/1544-54-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1544-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1400-56-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1400-57-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1400-59-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1400-60-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1400-62-0x000000000048B2BE-mapping.dmp
memory/1400-61-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1544-64-0x00000000744D0000-0x0000000074A7B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 04:01
Reported
2022-07-01 04:47
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
HawkEye Reborn
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Z4ymm3ispc7E855J\\I6shyU1EWPZZ.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"
C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 20.42.65.89:443 | tcp |
Files
memory/3124-130-0x00000000752D0000-0x0000000075881000-memory.dmp
memory/4676-131-0x0000000000000000-mapping.dmp
memory/4676-132-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4676-133-0x00000000752D0000-0x0000000075881000-memory.dmp
memory/3124-134-0x00000000752D0000-0x0000000075881000-memory.dmp
memory/4676-135-0x00000000752D0000-0x0000000075881000-memory.dmp
memory/4676-136-0x00000000752D0000-0x0000000075881000-memory.dmp