Malware Analysis Report

2024-10-19 08:31

Sample ID 220701-elh4sadac8
Target 8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d
SHA256 8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d
Tags
hawkeye_reborn keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d

Threat Level: Known bad

The file 8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn keylogger persistence spyware stealer trojan

HawkEye Reborn

Modifies WinLogon for persistence

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-01 04:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 04:01

Reported

2022-07-01 04:47

Platform

win7-20220414-en

Max time kernel

150s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Z4ymm3ispc7E855J\\JCxrUYH1X56e.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 1544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

Network

N/A

Files

memory/1544-54-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1544-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1400-56-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1400-57-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1400-59-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1400-60-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1400-62-0x000000000048B2BE-mapping.dmp

memory/1400-61-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1544-64-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 04:01

Reported

2022-07-01 04:47

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Z4ymm3ispc7E855J\\I6shyU1EWPZZ.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe

"C:\Users\Admin\AppData\Local\Temp\8f47f3e72baad600c4f9a4ea3f632a68f2f8ec0e562799b72ee73447ec01b17d.exe"

Network

Country Destination Domain Proto
US 52.109.8.21:443 tcp
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 20.42.65.89:443 tcp

Files

memory/3124-130-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/4676-131-0x0000000000000000-mapping.dmp

memory/4676-132-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4676-133-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/3124-134-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/4676-135-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/4676-136-0x00000000752D0000-0x0000000075881000-memory.dmp