hawkeye_reborn | 861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c

General

Target

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
Size

2.0MB
MD5

f8cc934d918c21b38eb6f27ae2aaa244
SHA1

b0c000fa26ce9d08229bb6ba803c58be2d858dc8
SHA256

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c
SHA512

eade70e20f0dce2eff066b8e4b2a2f683e310e8af32681228f37e1fa69c8e1ffef933eacdece3e6823195da1c002d5a5aad81e3c323aa4b126e6aa81f24a9f7f

Score

10^/10

hawkeye_reborn keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: smtp
Host:
mail.ancopottary.com
Port:
587
Username:
collins@ancopottary.com
Password:
niconpay$

Mutex

6814063d-6af8-47ff-b616-e3c11999f719

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:true _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:niconpay$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.ancopottary.com _EmailUsername:collins@ancopottary.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:6814063d-6af8-47ff-b616-e3c11999f719 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe"	RegAsm.exe

Drops startup file 1 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LaunchWinApp.url	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
33	bot.whatismyipaddress.com
37	bot.whatismyipaddress.com
38	bot.whatismyipaddress.com
19	bot.whatismyipaddress.com
31	bot.whatismyipaddress.com
29	bot.whatismyipaddress.com
32	bot.whatismyipaddress.com
34	bot.whatismyipaddress.com
39	bot.whatismyipaddress.com
7	bot.whatismyipaddress.com
10	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 11 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

description	pid	process	target process
PID 204 set thread context of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 set thread context of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

pid	process
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

pid	process
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

pid	process
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe

description	pid	process	target process
PID 204 wrote to memory of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3400	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1224	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1840	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3352	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3396	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 2844	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1880	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1724	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 3184	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe
PID 204 wrote to memory of 1956	204	861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe
"C:\Users\Admin\AppData\Local\Temp\861323785237f36e8d9ee99d2dd2f8e7030adae5ee2413e47f5cc6fa51af097c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:3400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:1224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:1840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:3352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:3396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
- Sets file execution options in registry
PID:3184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
2⤵
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
680B

MD5
8faf48455ffc017246b08e89f6ba1956

SHA1
2f6c39d9828b3f95dc050f52a38cd7d3f543baf8

SHA256
9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35

SHA512
dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9

Download Submit
memory/204-136-0x0000000001080000-0x000000000110B000-memory.dmp

Filesize
556KB

Download
memory/956-175-0x0000000000000000-mapping.dmp

Download
memory/956-182-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/956-181-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1224-140-0x0000000000000000-mapping.dmp

Download
memory/1224-147-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1224-148-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1224-149-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1724-207-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1724-206-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1724-200-0x0000000000000000-mapping.dmp

Download
memory/1840-150-0x0000000000000000-mapping.dmp

Download
memory/1840-157-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1840-156-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1880-199-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1880-198-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1880-192-0x0000000000000000-mapping.dmp

Download
memory/1956-224-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1956-223-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/1956-217-0x0000000000000000-mapping.dmp

Download
memory/2844-183-0x0000000000000000-mapping.dmp

Download
memory/2844-191-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/2844-190-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/2844-189-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3184-214-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3184-208-0x0000000000000000-mapping.dmp

Download
memory/3184-216-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3184-215-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3352-158-0x0000000000000000-mapping.dmp

Download
memory/3352-159-0x0000000000570000-0x0000000000600000-memory.dmp

Filesize
576KB

Download
memory/3352-164-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3352-166-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3352-165-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3396-168-0x0000000000700000-0x0000000000790000-memory.dmp

Filesize
576KB

Download
memory/3396-167-0x0000000000000000-mapping.dmp

Download
memory/3396-173-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3396-174-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3400-131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3400-137-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3400-138-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3400-139-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download
memory/3400-130-0x0000000000000000-mapping.dmp

Download
memory/3888-225-0x0000000000000000-mapping.dmp

Download
memory/3888-231-0x00000000737E0000-0x0000000073D91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads