hawkeye | 04f6177bee237fe8f49353b9455c7367d6ab4d9e14a4139c9fccd7e4d349ce82

General

Target

INQUIRY.exe
Size

983KB
MD5

f354ba5b2b1698b83201afe17fb068fa
SHA1

72d40d81e7151a28178c74971a883991d6a33de0
SHA256

04f6177bee237fe8f49353b9455c7367d6ab4d9e14a4139c9fccd7e4d349ce82
SHA512

1e9898871da0f0ec35ef7b84258827a498fe885dbe8bbc135ca341d87281424c5ace42ae43436adc1d4fafe90658f234571f755518b89eba047c7a0e72cf6c9b

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.iigcest.com
Port:
587
Username:
ansaf@iigcest.com
Password:
Ans2016@

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5116-1-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/5116-5-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/5116-3-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INQUIRY.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	INQUIRY.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 whatismyipaddress.com
10 whatismyipaddress.com

flow	ioc
8	whatismyipaddress.com
10	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

INQUIRY.exeINQUIRY.exe

description	pid	process	target process
PID 4760 set thread context of 5116	4760	INQUIRY.exe	INQUIRY.exe
PID 5116 set thread context of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 set thread context of 1268	5116	INQUIRY.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2181 IoCs

Processes:

INQUIRY.exeINQUIRY.exe

pid	process
4760	INQUIRY.exe
4760	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe
3008	INQUIRY.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

INQUIRY.exe

pid process

4760 INQUIRY.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INQUIRY.exe

description pid process

Token: SeDebugPrivilege 5116 INQUIRY.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

INQUIRY.exe

pid process

5116 INQUIRY.exe

description	pid	process
Token: SeDebugPrivilege	5116	INQUIRY.exe

pid	process
5116	INQUIRY.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

INQUIRY.exeINQUIRY.exe

description	pid	process	target process
PID 4760 wrote to memory of 5116	4760	INQUIRY.exe	INQUIRY.exe
PID 4760 wrote to memory of 5116	4760	INQUIRY.exe	INQUIRY.exe
PID 4760 wrote to memory of 5116	4760	INQUIRY.exe	INQUIRY.exe
PID 4760 wrote to memory of 3008	4760	INQUIRY.exe	INQUIRY.exe
PID 4760 wrote to memory of 3008	4760	INQUIRY.exe	INQUIRY.exe
PID 4760 wrote to memory of 3008	4760	INQUIRY.exe	INQUIRY.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 856	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe
PID 5116 wrote to memory of 1268	5116	INQUIRY.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe" 2 5116 259285000
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/856-10-0x0000000000411654-mapping.dmp

Download
memory/856-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/856-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1268-13-0x0000000000442628-mapping.dmp

Download
memory/1268-12-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3008-4-0x0000000000000000-mapping.dmp

Download
memory/3008-7-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4760-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/5116-5-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5116-8-0x00000000022A2000-0x00000000022A3000-memory.dmp

Filesize
4KB

Download
memory/5116-6-0x0000000002340000-0x00000000023C8000-memory.dmp

Filesize
544KB

Download
memory/5116-3-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5116-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5116-2-0x000000000051B4D0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads