hawkeye | 05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
14-11-2020 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
Size

988KB
MD5

55e67d17646026b9afbb19631ddc72f2
SHA1

eb3705bf928fde466630fb4df43ad5f0b19f3fa0
SHA256

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6
SHA512

7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.casalsmd.com
Port:
587
Username:
carolina@casalsmd.com
Password:
Carolina123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

1892 Windows Update.exe
1700 Windows Update.exe

pid	process
1892	Windows Update.exe
1700	Windows Update.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2004-1-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/2004-3-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/2004-4-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1700-25-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral1/memory/1700-26-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

1700 Windows Update.exe

pid	process
1700	Windows Update.exe

Loads dropped DLL 8 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

pid	process
2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1892	Windows Update.exe
1892	Windows Update.exe
1892	Windows Update.exe
1892	Windows Update.exe
1700	Windows Update.exe
1700	Windows Update.exe
1700	Windows Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
8 whatismyipaddress.com
9 whatismyipaddress.com

flow	ioc
6	whatismyipaddress.com
8	whatismyipaddress.com
9	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 240 set thread context of 2004	240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 1892 set thread context of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1700 set thread context of 276	1700	Windows Update.exe	vbc.exe
PID 1700 set thread context of 1500	1700	Windows Update.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

pid process

240 05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1892 Windows Update.exe
1700 Windows Update.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exe

pid process

240 05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1892 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 1700 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1700 Windows Update.exe

pid	process
240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1892	Windows Update.exe
1700	Windows Update.exe

pid	process
240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1892	Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	1700	Windows Update.exe

pid	process
1700	Windows Update.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 240 wrote to memory of 2004	240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 240 wrote to memory of 2004	240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 240 wrote to memory of 2004	240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 240 wrote to memory of 2004	240	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 2004 wrote to memory of 1892	2004	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1892 wrote to memory of 1700	1892	Windows Update.exe	Windows Update.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 276	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe
PID 1700 wrote to memory of 1500	1700	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
"C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
"C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
PID:276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
MD5
6bc1ef427b1fe6baec5b940fb63ff57e

SHA1
6cf3a1f3ab57a96bdf22d38885bf0c1a789d6739

SHA256
b661b508b8d3bfd545c80cc80baa8578d2be15e9c013fefbd587d4b00c7a525b

SHA512
373530d2f8cd7a94a7dae6d7aa493590c76ac37f2d12284174163fb310bc07b840bba75d45108ed7a7a8484b783a45dcb758cbf3f70dbeb17603ede6c3d80d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
memory/240-0-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/276-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/276-33-0x0000000000411654-mapping.dmp

Download
memory/276-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1184-39-0x000007FEF6400000-0x000007FEF667A000-memory.dmp

Filesize
2.5MB

Download
memory/1500-38-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1500-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1500-37-0x0000000000442628-mapping.dmp

Download
memory/1700-27-0x0000000000B40000-0x0000000000BC8000-memory.dmp

Filesize
544KB

Download
memory/1700-25-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1700-26-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1700-19-0x000000000051B4D0-mapping.dmp

Download
memory/1700-28-0x0000000000D32000-0x0000000000D33000-memory.dmp

Filesize
4KB

Download
memory/1892-16-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1892-10-0x0000000000000000-mapping.dmp

Download
memory/2004-7-0x0000000001D20000-0x0000000001DA3000-memory.dmp

Filesize
524KB

Download
memory/2004-6-0x0000000001F02000-0x0000000001F03000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x0000000001E40000-0x0000000001EC8000-memory.dmp

Filesize
544KB

Download
memory/2004-4-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2004-3-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2004-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2004-2-0x000000000051B4D0-mapping.dmp

Download