Malware Analysis Report

2025-01-02 14:10

Sample ID 220731-kpe47ahgfj
Target b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
Tags
hawkeye keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a

Threat Level: Known bad

The file b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-31 08:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 08:46

Reported

2022-07-31 12:01

Platform

win7-20220718-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\project6765.exe N/A
N/A N/A C:\Users\Admin\Desktop\project6765.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Desktop\\project6765.exe -boot" C:\Users\Admin\Desktop\project6765.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Desktop\project6765.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1696 set thread context of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1244 set thread context of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\project6765.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\project6765.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\project6765.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\project6765.exe
PID 2036 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\project6765.exe
PID 2036 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\project6765.exe
PID 2036 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1696 wrote to memory of 1244 N/A C:\Users\Admin\Desktop\project6765.exe C:\Users\Admin\Desktop\project6765.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 900 N/A C:\Users\Admin\Desktop\project6765.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe

"C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe" "C:\Users\Admin\Desktop\project6765.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\project6765.exe"

C:\Users\Admin\Desktop\project6765.exe

"C:\Users\Admin\Desktop\project6765.exe"

C:\Users\Admin\Desktop\project6765.exe

"C:\Users\Admin\Desktop\project6765.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.modexdeals.xyz udp

Files

memory/1292-54-0x0000000000170000-0x0000000000278000-memory.dmp

memory/1292-55-0x0000000004370000-0x0000000004420000-memory.dmp

memory/1292-56-0x00000000003B0000-0x00000000003D0000-memory.dmp

memory/1292-57-0x0000000076921000-0x0000000076923000-memory.dmp

memory/1996-58-0x0000000000000000-mapping.dmp

memory/2036-59-0x0000000000000000-mapping.dmp

memory/1696-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4

\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4

C:\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4

memory/1696-64-0x0000000000060000-0x0000000000168000-memory.dmp

memory/1244-66-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1244-67-0x000000000047EAAE-mapping.dmp

memory/1244-70-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4

memory/1244-72-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1244-74-0x0000000004F95000-0x0000000004FA6000-memory.dmp

memory/1244-75-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/900-77-0x0000000000411654-mapping.dmp

memory/900-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/900-80-0x0000000000400000-0x000000000041B000-memory.dmp

memory/900-81-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1956-82-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1956-83-0x0000000000442628-mapping.dmp

memory/1956-86-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1956-87-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1956-89-0x0000000000400000-0x0000000000458000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 08:46

Reported

2022-07-31 12:01

Platform

win10v2004-20220721-en

Max time kernel

142s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\project6765.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\project6765.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe

"C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a.exe" "C:\Users\Admin\Desktop\project6765.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\project6765.exe"

C:\Users\Admin\Desktop\project6765.exe

"C:\Users\Admin\Desktop\project6765.exe"

Network

Country Destination Domain Proto
US 20.44.10.122:443 tcp
FR 2.18.109.224:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/1372-130-0x0000000000C10000-0x0000000000D18000-memory.dmp

memory/1372-131-0x0000000008300000-0x00000000088A4000-memory.dmp

memory/1372-132-0x0000000007E30000-0x0000000007EC2000-memory.dmp

memory/1372-133-0x0000000007E20000-0x0000000007E2A000-memory.dmp

memory/1556-134-0x0000000000000000-mapping.dmp

memory/1748-135-0x0000000000000000-mapping.dmp

memory/2788-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4

C:\Users\Admin\Desktop\project6765.exe

MD5 5bc6ed82565d9c5c4878b574a37b4a20
SHA1 e6a6ee5473e9ea34165974c3fd2a94542d64bace
SHA256 b5fdef1cd635817002baffb1caa4af0f983fb4194b030527e269a59172cbbf1a
SHA512 b6968383b9fe25c1ae5a5d76de2f0a61afaaf7942f91cc2ac9810bb8a38bca952ab08c687b59105b8fd836a8b3d89345ae704fa416432c21a7caa094df0623f4