hawkeye | 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e

General

Target

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Size

648KB
MD5

6f1efdc80f87d1b895004a26c2948210
SHA1

cae36f996570f5e520dca5e764bf7815dd490675
SHA256

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e
SHA512

eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e
SSDEEP

12288:j9ogAOvlpTyhX9oRZ17/gDXsa0mFzPOncImbp3hTRkWaQemLZN:j+gAwvTyhX9AgDXsa0mZPfIgp3hTCWa

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Drops startup file 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j2t6bIXtKRzH.lnk	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	RegAsm.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 whatismyipaddress.com
17 whatismyipaddress.com

flow	ioc
15	whatismyipaddress.com
17	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exeRegAsm.exe

description	pid	process	target process
PID 1208 set thread context of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 3508 set thread context of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 set thread context of 2700	3508	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

3508 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegAsm.exevbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 3508 RegAsm.exe
Token: SeDebugPrivilege 1524 vbc.exe
Token: SeDebugPrivilege 2700 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3508 RegAsm.exe

pid	process
3508	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3508	RegAsm.exe
Token: SeDebugPrivilege	1524	vbc.exe
Token: SeDebugPrivilege	2700	vbc.exe

pid	process
3508	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exeRegAsm.exe

description	pid	process	target process
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1208 wrote to memory of 3508	1208	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 1524	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe
PID 3508 wrote to memory of 2700	3508	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
"C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
memory/1208-136-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/1208-132-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/1524-140-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1524-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1524-139-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1524-137-0x0000000000000000-mapping.dmp

Download
memory/1524-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2700-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2700-150-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2700-148-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2700-144-0x0000000000000000-mapping.dmp

Download
memory/2700-145-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2700-146-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3508-135-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-143-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-133-0x0000000000000000-mapping.dmp

Download
memory/3508-134-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads