Malware Analysis Report

2025-01-02 14:17

Sample ID 220725-tldxdshfck
Target 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
Tags
hawkeye keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31

Threat Level: Known bad

The file 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

NirSoft MailPassView

NirSoft WebBrowserPassView

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-25 16:08

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-25 16:08

Reported

2022-07-26 04:09

Platform

win10v2004-20220721-en

Max time kernel

188s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\Project224.exe -boot" C:\Users\Admin\Documents\Project224.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Documents\Project224.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4484 set thread context of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Project224.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Project224.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 2420 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 2420 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 4484 wrote to memory of 208 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe

"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe" "C:\Users\Admin\Documents\Project224.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\Project224.exe"

C:\Users\Admin\Documents\Project224.exe

"C:\Users\Admin\Documents\Project224.exe"

C:\Users\Admin\Documents\Project224.exe

"C:\Users\Admin\Documents\Project224.exe"

Network

Country Destination Domain Proto
US 67.26.209.254:80 tcp
US 67.26.209.254:80 tcp
NL 8.238.23.254:80 tcp
GB 51.104.15.253:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 8.238.23.254:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.modexdeals.xyz udp

Files

memory/2192-130-0x0000000000310000-0x00000000003F6000-memory.dmp

memory/2192-131-0x0000000005320000-0x00000000058C4000-memory.dmp

memory/2192-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/2192-133-0x0000000005310000-0x000000000531A000-memory.dmp

memory/3232-134-0x0000000000000000-mapping.dmp

memory/2420-135-0x0000000000000000-mapping.dmp

memory/4484-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

memory/4484-139-0x00000000056C0000-0x000000000575C000-memory.dmp

memory/208-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

memory/208-143-0x0000000000800000-0x0000000000884000-memory.dmp

memory/208-144-0x0000000005040000-0x0000000005096000-memory.dmp

memory/208-145-0x0000000000C60000-0x0000000000CC6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-25 16:08

Reported

2022-07-26 04:07

Platform

win7-20220715-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\Project224.exe -boot" C:\Users\Admin\Documents\Project224.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Documents\Project224.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1788 set thread context of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Project224.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\Project224.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Project224.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 1256 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 1256 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 1256 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\Documents\Project224.exe C:\Users\Admin\Documents\Project224.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe

"C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31.exe" "C:\Users\Admin\Documents\Project224.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\Project224.exe"

C:\Users\Admin\Documents\Project224.exe

"C:\Users\Admin\Documents\Project224.exe"

C:\Users\Admin\Documents\Project224.exe

"C:\Users\Admin\Documents\Project224.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.modexdeals.xyz udp

Files

memory/640-54-0x0000000000E00000-0x0000000000EE6000-memory.dmp

memory/640-55-0x0000000004BC0000-0x0000000004C70000-memory.dmp

memory/640-56-0x0000000000250000-0x000000000026E000-memory.dmp

memory/640-57-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

memory/1444-58-0x0000000000000000-mapping.dmp

memory/1256-59-0x0000000000000000-mapping.dmp

\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

memory/1788-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

memory/1788-64-0x00000000002D0000-0x00000000003B6000-memory.dmp

memory/2036-66-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2036-67-0x000000000047EA7E-mapping.dmp

C:\Users\Admin\Documents\Project224.exe

MD5 621bbd51e44db9b507a911ceba8c6e4d
SHA1 524a771f04ee76bddc16d5a6c0d59ac4f97b3398
SHA256 5568f17165b2499bfb5fe5eefaf6d8e571c8d5168ef32740bcb26679c612ea31
SHA512 b33de89cbebe427ee84e6b4ecc08e7635b6fa01f37a85f87c571d804db69774eb7df5fe623d262b195a59fb78a267daab8f636278599484c231be2905d9fe3c8

memory/2036-70-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2036-72-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2036-74-0x00000000007A0000-0x00000000007A8000-memory.dmp