hawkeye | 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

General

Target

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe
Size

883KB
MD5

621bbd51e44db9b507a911ceba8c6e4d
SHA1

524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512

b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp	MailPassView
behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/2036-67-0x000000000047EA7E-mapping.dmp	Nirsoft
behavioral1/memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Project224.exeProject224.exe

pid process

1788 Project224.exe
2036 Project224.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1256 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1788	Project224.exe
2036	Project224.exe

pid	process
1256	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Project224.exeProject224.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\Project224.exe -boot"	Project224.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Project224.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Project224.exe

description pid process target process

PID 1788 set thread context of 2036 1788 Project224.exe Project224.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com

description	pid	process	target process
PID 1788 set thread context of 2036	1788	Project224.exe	Project224.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exeProject224.exeProject224.exe

description	pid	process
Token: SeDebugPrivilege	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe
Token: SeDebugPrivilege	1788	Project224.exe
Token: SeDebugPrivilege	2036	Project224.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Project224.exe

pid process

2036 Project224.exe

pid	process
2036	Project224.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.execmd.exeProject224.exe

description	pid	process	target process
PID 640 wrote to memory of 1444	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1444	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1444	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1444	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1256	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1256	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1256	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 640 wrote to memory of 1256	640	5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe	cmd.exe
PID 1256 wrote to memory of 1788	1256	cmd.exe	Project224.exe
PID 1256 wrote to memory of 1788	1256	cmd.exe	Project224.exe
PID 1256 wrote to memory of 1788	1256	cmd.exe	Project224.exe
PID 1256 wrote to memory of 1788	1256	cmd.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe
PID 1788 wrote to memory of 2036	1788	Project224.exe	Project224.exe

C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe
"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe" "C:\Users\Admin\Documents\Project224.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\Project224.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\Documents\Project224.exe
"C:\Users\Admin\Documents\Project224.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\Documents\Project224.exe
"C:\Users\Admin\Documents\Project224.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Project224.exe
Filesize
883KB

MD5
621bbd51e44db9b507a911ceba8c6e4d

SHA1
524a771f04ee76bddc16d5a6c0d59ac4f97b3398

SHA256
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

SHA512
b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

Download Submit
C:\Users\Admin\Documents\Project224.exe
Filesize
883KB

MD5
621bbd51e44db9b507a911ceba8c6e4d

SHA1
524a771f04ee76bddc16d5a6c0d59ac4f97b3398

SHA256
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

SHA512
b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

Download Submit
C:\Users\Admin\Documents\Project224.exe
Filesize
883KB

MD5
621bbd51e44db9b507a911ceba8c6e4d

SHA1
524a771f04ee76bddc16d5a6c0d59ac4f97b3398

SHA256
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

SHA512
b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

Download Submit
\Users\Admin\Documents\Project224.exe
Filesize
883KB

MD5
621bbd51e44db9b507a911ceba8c6e4d

SHA1
524a771f04ee76bddc16d5a6c0d59ac4f97b3398

SHA256
5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

SHA512
b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

Download Submit
memory/640-55-0x0000000004BC0000-0x0000000004C70000-memory.dmp

Filesize
704KB

Download
memory/640-56-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/640-57-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/640-54-0x0000000000E00000-0x0000000000EE6000-memory.dmp

Filesize
920KB

Download
memory/1256-59-0x0000000000000000-mapping.dmp

Download
memory/1444-58-0x0000000000000000-mapping.dmp

Download
memory/1788-62-0x0000000000000000-mapping.dmp

Download
memory/1788-64-0x00000000002D0000-0x00000000003B6000-memory.dmp

Filesize
920KB

Download
memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2036-67-0x000000000047EA7E-mapping.dmp

Download
memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2036-74-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads