hawkeye | 2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8

General

Target

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
Size

604KB
MD5

35270318eecbfbda22754799d481e00a
SHA1

be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638
SHA256

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8
SHA512

d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral2/memory/5096-148-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral2/memory/4916-153-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral2/memory/5096-148-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4916-153-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

772 Windows Update.exe
4388 Windows Update.exe

pid	process
772	Windows Update.exe
4388	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 whatismyipaddress.com

flow	ioc
20	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1904 set thread context of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 772 set thread context of 4388	772	Windows Update.exe	Windows Update.exe
PID 4388 set thread context of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 set thread context of 4916	4388	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exe

pid	process
1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
772	Windows Update.exe
772	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe
4388	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exe

description	pid	process
Token: SeDebugPrivilege	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
Token: SeDebugPrivilege	772	Windows Update.exe
Token: SeDebugPrivilege	4388	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

4388 Windows Update.exe

pid	process
4388	Windows Update.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 1904 wrote to memory of 4152	1904	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
PID 4152 wrote to memory of 772	4152	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	Windows Update.exe
PID 4152 wrote to memory of 772	4152	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	Windows Update.exe
PID 4152 wrote to memory of 772	4152	2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 772 wrote to memory of 4388	772	Windows Update.exe	Windows Update.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 5096	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe
PID 4388 wrote to memory of 4916	4388	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
"C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe
"C:\Users\Admin\AppData\Local\Temp\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:5096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8.exe.log
Filesize
411B

MD5
39582d3351c79bbe6b34c92b86bb2e15

SHA1
0a5bc37313778570ffd8b7664fd04380446641f3

SHA256
a77ea8a3f342c18bc35e84d0c0255345ae259f80dd9ac4837760e5e4d5f593aa

SHA512
4e6acca2e4fd55d3dcdcaba0155364dcf17924113f23bb58c895e0119a79906f4e3fd1950d1dbb405cc02509373a1e2057a46dbc364189779ae96abb19214283

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
10b055e152a5d8080897d8da0edfa6b3

SHA1
c66e7484f33d78fb7749ca599ab3f8c7cc7cf738

SHA256
246d6455652a5300d1d19e1a8737abdb215dcf22c4e2781e4074723aa5a49287

SHA512
3ebda079e5cd1c1cee619bedec3aa5bbacdd15ad36a61cc82c5afee1200934c0deba9bce911daa83a2e52a58c8b4199baaad9758d463ef7a96b8b8668c239107

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
604KB

MD5
35270318eecbfbda22754799d481e00a

SHA1
be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638

SHA256
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8

SHA512
d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
604KB

MD5
35270318eecbfbda22754799d481e00a

SHA1
be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638

SHA256
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8

SHA512
d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
604KB

MD5
35270318eecbfbda22754799d481e00a

SHA1
be1ff8e3ae8a6b4040d7fb156e82b2e29b49a638

SHA256
2d9c97975ee96474e73b9d5466208d70479a371e555bf1bbd697f9981bb404b8

SHA512
d20537b99b01e1589935e5c7640f5264fed5ab26dbbc62b42e4c2d029d69b9f95b6121dd6657a114fbb0be9730605dce870b5472596d2b0873406cf2e416ff3a

Download Submit
memory/772-140-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/772-144-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/772-135-0x0000000000000000-mapping.dmp

Download
memory/1904-133-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-130-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4152-132-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4152-134-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4152-139-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4152-131-0x0000000000000000-mapping.dmp

Download
memory/4388-147-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4388-145-0x0000000074E00000-0x00000000753B1000-memory.dmp

Filesize
5.7MB

Download
memory/4388-141-0x0000000000000000-mapping.dmp

Download
memory/4916-153-0x0000000000000000-mapping.dmp

Download
memory/4916-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4916-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4916-157-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4916-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-148-0x0000000000000000-mapping.dmp

Download
memory/5096-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5096-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5096-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads