hawkeye | 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70

General

Target

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Size

1.1MB
MD5

628159cada256516f610bbe6db816f77
SHA1

3d707cc93337e5d875861e01e363e10be7248702
SHA256

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
SHA512

cc86a5fdc6d506c3b838ea83ced31d7264ab32296b45993f3a20af2ecd521f81dfb426eda345e4615e3505ace632b1c1a9551d418c835625ab61123b3a40d965
SSDEEP

24576:1ALejTbyeniCQEx88bUJevBnDa58aY+zX52t4/xpeJ2YYHv:1M4GCF8uU8cgk4tAxpsQv

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/1680-150-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/1680-151-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1680-153-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1680-154-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/2896-155-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/2896-156-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2896-158-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2896-159-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2896-161-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
behavioral2/memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/1680-150-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1680-151-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1680-153-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1680-154-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2896-155-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2896-156-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2896-158-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2896-159-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2896-161-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

tmp.exenotepad .exe

pid process

4252 tmp.exe
1900 notepad .exe

pid	process
4252	tmp.exe
1900	notepad .exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	tmp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 whatismyipaddress.com

flow	ioc
34	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exe

description	pid	process	target process
PID 3404 set thread context of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 4252 set thread context of 1680	4252	tmp.exe	vbc.exe
PID 4252 set thread context of 2896	4252	tmp.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exevbc.exe

pid	process
3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
2896	vbc.exe
2896	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Token: SeDebugPrivilege	4252	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

4252 tmp.exe

pid	process
4252	tmp.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.execmd.exetmp.exe

description	pid	process	target process
PID 3404 wrote to memory of 1780	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 3404 wrote to memory of 1780	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 3404 wrote to memory of 1780	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 1780 wrote to memory of 1128	1780	cmd.exe	wscript.exe
PID 1780 wrote to memory of 1128	1780	cmd.exe	wscript.exe
PID 1780 wrote to memory of 1128	1780	cmd.exe	wscript.exe
PID 3404 wrote to memory of 4252	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 3404 wrote to memory of 4252	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 3404 wrote to memory of 4252	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 3404 wrote to memory of 1900	3404	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 1680	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe
PID 4252 wrote to memory of 2896	4252	tmp.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
"C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Windows\temp\invs.vbs" "C:\Windows\temp\mata2.bat
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata.bat

Filesize
69B

MD5
1d3598a9affc15c286c78b40a665bffc

SHA1
dad491b8d033ce7dd37b8cade0eb6f8fdb61ecdf

SHA256
524357b7b65b324c1c32607ba9cc71fed6437c502540c059732e8a44a6129bb2

SHA512
3c7ccc403d9c515f04acc99607609cd2254b2f5a21667f4df5706297e4a5ef15a161da839e325b755f6f9eec8b47e060ec1a027b0092c5b70cbbbb853228d0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
502KB

MD5
dd2f48d0d1fbc39d67d398c02dd03d08

SHA1
f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807

SHA256
b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f

SHA512
22ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
502KB

MD5
dd2f48d0d1fbc39d67d398c02dd03d08

SHA1
f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807

SHA256
b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f

SHA512
22ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c

Download Submit
memory/1128-135-0x0000000000000000-mapping.dmp

Download
memory/1680-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-150-0x0000000000000000-mapping.dmp

Download
memory/1780-133-0x0000000000000000-mapping.dmp

Download
memory/1900-139-0x0000000000000000-mapping.dmp

Download
memory/1900-146-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-147-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-143-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1900-149-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2896-155-0x0000000000000000-mapping.dmp

Download
memory/2896-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-158-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3404-148-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-141-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-140-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-136-0x0000000000000000-mapping.dmp

Download
memory/4252-142-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads