hawkeye_reborn | 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720

General

Target

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
Size

670KB
MD5

181e0ed8c8f09db4749f83ca87bf3e2d
SHA1

0c29a28d18b975c3ead2a72205ddf5b2d8d10700
SHA256

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720
SHA512

f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/2136-136-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2136 svhost.exe

pid	process
2136	svhost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 bot.whatismyipaddress.com

flow	ioc
16	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

description	pid	process	target process
PID 3468 set thread context of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
File created	C:\Windows\assembly\Desktop.ini	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

pid	process
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

description pid process

Token: SeDebugPrivilege 3468 4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

description	pid	process
Token: SeDebugPrivilege	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 4144	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	cmd.exe
PID 3468 wrote to memory of 4144	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	cmd.exe
PID 3468 wrote to memory of 4144	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	cmd.exe
PID 4144 wrote to memory of 1648	4144	cmd.exe	reg.exe
PID 4144 wrote to memory of 1648	4144	cmd.exe	reg.exe
PID 4144 wrote to memory of 1648	4144	cmd.exe	reg.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe
PID 3468 wrote to memory of 2136	3468	4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe
"C:\Users\Admin\AppData\Local\Temp\4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe.lnk" /f
3⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\New.exe
Filesize
670KB

MD5
181e0ed8c8f09db4749f83ca87bf3e2d

SHA1
0c29a28d18b975c3ead2a72205ddf5b2d8d10700

SHA256
4936723d9911eb23d830648968c1ec5903d8fa538b20f70e9490e9ae33b97720

SHA512
f33c37059dea2be52dfcd8e5416180bf8fb5c75973cb2608b676f0a436cb733c5af178bb358b97bbaab203ad6aeca1fbc29182627b023cc62cdbf26c32efdaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1648-133-0x0000000000000000-mapping.dmp

Download
memory/2136-136-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2136-135-0x0000000000000000-mapping.dmp

Download
memory/2136-139-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-141-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-142-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-130-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-131-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-140-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4144-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads