hawkeye | 05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

General

Target

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
Size

988KB
MD5

55e67d17646026b9afbb19631ddc72f2
SHA1

eb3705bf928fde466630fb4df43ad5f0b19f3fa0
SHA256

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6
SHA512

7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.casalsmd.com
Port:
587
Username:
carolina@casalsmd.com
Password:
Carolina123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

3588 Windows Update.exe
188 Windows Update.exe

pid	process
3588	Windows Update.exe
188	Windows Update.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4084-1-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/4084-3-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/4084-4-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

188 Windows Update.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
188	Windows Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 whatismyipaddress.com
13 whatismyipaddress.com

flow	ioc
11	whatismyipaddress.com
13	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1304 set thread context of 4084	1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 3588 set thread context of 188	3588	Windows Update.exe	Windows Update.exe
PID 188 set thread context of 2064	188	Windows Update.exe	vbc.exe
PID 188 set thread context of 2584	188	Windows Update.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exevbc.exeWindows Update.exe

pid	process
1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
3588	Windows Update.exe
3588	Windows Update.exe
2584	vbc.exe
2584	vbc.exe
188	Windows Update.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exe

pid process

1304 05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
3588 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 188 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

188 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	188	Windows Update.exe

pid	process
188	Windows Update.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1304 wrote to memory of 4084	1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 1304 wrote to memory of 4084	1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 1304 wrote to memory of 4084	1304	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
PID 4084 wrote to memory of 3588	4084	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 4084 wrote to memory of 3588	4084	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 4084 wrote to memory of 3588	4084	05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe	Windows Update.exe
PID 3588 wrote to memory of 188	3588	Windows Update.exe	Windows Update.exe
PID 3588 wrote to memory of 188	3588	Windows Update.exe	Windows Update.exe
PID 3588 wrote to memory of 188	3588	Windows Update.exe	Windows Update.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2064	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 2584	188	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
"C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe
"C:\Users\Admin\AppData\Local\Temp\05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
MD5
6bc1ef427b1fe6baec5b940fb63ff57e

SHA1
6cf3a1f3ab57a96bdf22d38885bf0c1a789d6739

SHA256
b661b508b8d3bfd545c80cc80baa8578d2be15e9c013fefbd587d4b00c7a525b

SHA512
373530d2f8cd7a94a7dae6d7aa493590c76ac37f2d12284174163fb310bc07b840bba75d45108ed7a7a8484b783a45dcb758cbf3f70dbeb17603ede6c3d80d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
55e67d17646026b9afbb19631ddc72f2

SHA1
eb3705bf928fde466630fb4df43ad5f0b19f3fa0

SHA256
05b31320ce0468280428878330ff35d4a1d96460b6f10c3032fd4cc794b1e9b6

SHA512
7e41888a2562e94a38e2b241fa37b079f5fa4468d05a04aed65e7baccb803898f12f36c7bec2e4f048c08395f1afd8e199896fdacb8bb3b9f475431c87a3bcc6

Download Submit
memory/188-17-0x0000000000772000-0x0000000000773000-memory.dmp

Filesize
4KB

Download
memory/188-16-0x00000000022C0000-0x0000000002348000-memory.dmp

Filesize
544KB

Download
memory/188-12-0x000000000051B4D0-mapping.dmp

Download
memory/1304-0-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/2064-20-0x0000000000411654-mapping.dmp

Download
memory/2064-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2584-23-0x0000000000442628-mapping.dmp

Download
memory/2584-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3588-10-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/3588-7-0x0000000000000000-mapping.dmp

Download
memory/4084-6-0x00000000022A2000-0x00000000022A3000-memory.dmp

Filesize
4KB

Download
memory/4084-5-0x00000000022B0000-0x0000000002338000-memory.dmp

Filesize
544KB

Download
memory/4084-4-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4084-3-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4084-2-0x000000000051B4D0-mapping.dmp

Download
memory/4084-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads