hawkeye | 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b

General

Target

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Size

737KB
MD5

1761d36ee0dd421415d880c6051dff4c
SHA1

49d19aab6814703768384c2f3f38f9a497764962
SHA256

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b
SHA512

1ddab5d31d79ee727a465392cd2c9004a2d86a529af298a5c78113a164a8adcb241bb741e142c28e06334366673af12f42ec41cd1a60c4113cd202f564cb1abd

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
ns7.hadara.ps
Port:
587
Username:
box@alnasserstone.com
Password:
qazxswqazxsw@123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral2/memory/4664-139-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral2/memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2456-147-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
behavioral2/memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/4664-139-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2456-147-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

3448 tmp.exe

pid	process
3448	tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 whatismyipaddress.com
24 whatismyipaddress.com

flow	ioc
22	whatismyipaddress.com
24	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	pid	process	target process
PID 4324 set thread context of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 868 set thread context of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 set thread context of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
File created	C:\Windows\assembly\Desktop.ini	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exevbc.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

pid	process
4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
2456	vbc.exe
2456	vbc.exe
868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	pid	process
Token: SeDebugPrivilege	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
Token: SeDebugPrivilege	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

pid process

868 6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

pid	process
868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe

description	pid	process	target process
PID 4324 wrote to memory of 3448	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	tmp.exe
PID 4324 wrote to memory of 3448	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	tmp.exe
PID 4324 wrote to memory of 3448	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	tmp.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 4324 wrote to memory of 868	4324	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 4664	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe
PID 868 wrote to memory of 2456	868	6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe
"C:\Users\Admin\AppData\Local\Temp\6115bdc2a2393806df8e8eafefbe1c64b605ecb75a107f288317e3615f1eff9b.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:4664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
520KB

MD5
9c2b62407b2ed9680066a998d6772d18

SHA1
e2601164d04673a035241702f2849cf400d16286

SHA256
6d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d

SHA512
f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
520KB

MD5
9c2b62407b2ed9680066a998d6772d18

SHA1
e2601164d04673a035241702f2849cf400d16286

SHA256
6d7e3ea5be4fc6079904b9e3aa757718e34708a00e419588d47e35502820698d

SHA512
f008248f14d5aa9f8a222a2e1986b6a5afb5dc0f1d601b819518b50baa2c99cd98f137bcf31a0e931c015dcfc98257944d955f16c2232472a0064278587d6bb1

Download Submit
memory/868-146-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/868-135-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/868-137-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/868-134-0x0000000000000000-mapping.dmp

Download
memory/2456-148-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2456-152-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2456-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2456-147-0x0000000000000000-mapping.dmp

Download
memory/3448-138-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/3448-131-0x0000000000000000-mapping.dmp

Download
memory/3448-136-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4324-144-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4324-145-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4324-130-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4664-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4664-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4664-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4664-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads