hawkeye | 836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8

Analysis

max time kernel
139s
max time network
158s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe
Size

633KB
MD5

42cedf3737858ae589d9d230485d5978
SHA1

c0c11971657a3979f4146d912a0aafe941a55207
SHA256

836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8
SHA512

2c80c12e7a350b1808294970947334590c9c4ff37b0989530a0e8789979c242e593558aa6446f9a460d1fc7af6d0554e731f96bcb719f39df78a29ac6c057d9e

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
info.lashboxla.com@dr.com
Password:
Hunterman@45

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	MailPassView
behavioral1/memory/520-72-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/520-73-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/520-76-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/520-78-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/520-84-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	WebBrowserPassView
behavioral1/memory/1636-79-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1636-80-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1636-83-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1636-85-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1636-87-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe	Nirsoft
behavioral1/memory/520-72-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/520-73-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/520-76-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/520-78-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1636-79-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1636-80-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1636-83-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/520-84-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1636-85-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1636-87-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

mhaw.sfx.exemhaw.exe

pid process

1664 mhaw.sfx.exe
432 mhaw.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exemhaw.sfx.exe

pid process

1760 cmd.exe
1664 mhaw.sfx.exe
1664 mhaw.sfx.exe
1664 mhaw.sfx.exe
1664 mhaw.sfx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1664	mhaw.sfx.exe
432	mhaw.exe

pid	process
1760	cmd.exe
1664	mhaw.sfx.exe
1664	mhaw.sfx.exe
1664	mhaw.sfx.exe
1664	mhaw.sfx.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mhaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	mhaw.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
7 whatismyipaddress.com
4 whatismyipaddress.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

mhaw.exe

description pid process target process

PID 432 set thread context of 520 432 mhaw.exe vbc.exe
PID 432 set thread context of 1636 432 mhaw.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

mhaw.exe

pid process

432 mhaw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mhaw.exe

description pid process

Token: SeDebugPrivilege 432 mhaw.exe

flow	ioc
6	whatismyipaddress.com
7	whatismyipaddress.com
4	whatismyipaddress.com

description	pid	process	target process
PID 432 set thread context of 520	432	mhaw.exe	vbc.exe
PID 432 set thread context of 1636	432	mhaw.exe	vbc.exe

pid	process
432	mhaw.exe

description	pid	process
Token: SeDebugPrivilege	432	mhaw.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.execmd.exemhaw.sfx.exemhaw.exe

description	pid	process	target process
PID 1608 wrote to memory of 1760	1608	836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe	cmd.exe
PID 1608 wrote to memory of 1760	1608	836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe	cmd.exe
PID 1608 wrote to memory of 1760	1608	836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe	cmd.exe
PID 1608 wrote to memory of 1760	1608	836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe	cmd.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	mhaw.sfx.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	mhaw.sfx.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	mhaw.sfx.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	mhaw.sfx.exe
PID 1664 wrote to memory of 432	1664	mhaw.sfx.exe	mhaw.exe
PID 1664 wrote to memory of 432	1664	mhaw.sfx.exe	mhaw.exe
PID 1664 wrote to memory of 432	1664	mhaw.sfx.exe	mhaw.exe
PID 1664 wrote to memory of 432	1664	mhaw.sfx.exe	mhaw.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 520	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe
PID 432 wrote to memory of 1636	432	mhaw.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe
"C:\Users\Admin\AppData\Local\Temp\836a169ec95d151c273829d47fcec0f4014f540686002687d0beb668e762f3e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mhaw.sfx.exe
mhaw.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat
Filesize
27B

MD5
278333e7bebe514e82777405c98db802

SHA1
67936482d1b46730345a062bb83f639649cc42bc

SHA256
fa38b9a45c3c76526aba430d8325107305c3a3ab1280ed248a346edbbb8f2efe

SHA512
cabf91987aaaec0f031a564c488dc410c6a8ce0fc477fd0088d60785a3b2dca31b8eb3268e2c30cfa76d15a719d0b9b507beee8130bccd587bca73b91f5aaa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mhaw.sfx.exe
Filesize
506KB

MD5
d5ec2d8dd5c69bdab75e85e1b7ad3785

SHA1
09afa7be61ef4fdfe6eaaf944c40414e7e66aab6

SHA256
ad20ebbe21f85b9aa02787b974a36f8617e4adecf5858f5c17a29b35e8ba6878

SHA512
aefc72e55249087d58b021c39eca78742e0607aa5a1afbc69a8bab03e2c5a6a74c9ff22d00fb7544d9c9b3a3adbb09479c05bf890bd0c341d7e1f3c66f6b7829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mhaw.sfx.exe
Filesize
506KB

MD5
d5ec2d8dd5c69bdab75e85e1b7ad3785

SHA1
09afa7be61ef4fdfe6eaaf944c40414e7e66aab6

SHA256
ad20ebbe21f85b9aa02787b974a36f8617e4adecf5858f5c17a29b35e8ba6878

SHA512
aefc72e55249087d58b021c39eca78742e0607aa5a1afbc69a8bab03e2c5a6a74c9ff22d00fb7544d9c9b3a3adbb09479c05bf890bd0c341d7e1f3c66f6b7829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mhaw.sfx.exe
Filesize
506KB

MD5
d5ec2d8dd5c69bdab75e85e1b7ad3785

SHA1
09afa7be61ef4fdfe6eaaf944c40414e7e66aab6

SHA256
ad20ebbe21f85b9aa02787b974a36f8617e4adecf5858f5c17a29b35e8ba6878

SHA512
aefc72e55249087d58b021c39eca78742e0607aa5a1afbc69a8bab03e2c5a6a74c9ff22d00fb7544d9c9b3a3adbb09479c05bf890bd0c341d7e1f3c66f6b7829

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\mhaw.exe
Filesize
520KB

MD5
a71903345e01f0e4fc7a61588231b135

SHA1
0047991b12692ab18a6c493ecfffab978fcb094c

SHA256
3d2c8eb7fadd0adfe5daf5eba397b21e4bb89d1e13295907c9da2deb75ff3458

SHA512
e3336fb9170fe41ca21090d84978e8c27c06bdbb94d6f549c82074aefcaa8626b287430710e56ee73eb58d6ea8d5e64530bcedb87e9d9c2d837beac4afb9b2cd

Download Submit
memory/432-70-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/432-66-0x0000000000000000-mapping.dmp

Download
memory/432-86-0x00000000001B5000-0x00000000001C6000-memory.dmp

Filesize
68KB

Download
memory/432-77-0x00000000001B5000-0x00000000001C6000-memory.dmp

Filesize
68KB

Download
memory/432-71-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/520-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/520-73-0x0000000000411654-mapping.dmp

Download
memory/520-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/520-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/520-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-54-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1636-79-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1636-80-0x0000000000442628-mapping.dmp

Download
memory/1636-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1636-85-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1636-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1664-59-0x0000000000000000-mapping.dmp

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download