hawkeye | 9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

General

Target

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe
Size

407KB
MD5

98518cfa1ad6fb3be1bcd3ba5fd0847d
SHA1

ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26
SHA256

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616
SHA512

bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79
SSDEEP

6144:NbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihCj:NQtqB5urTIoYWBQkv

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
hruabfostiabgdjq

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
behavioral1/memory/528-65-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/528-66-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/528-70-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/528-71-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/528-73-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
behavioral1/memory/528-65-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/528-66-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/528-70-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/528-71-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/528-73-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

2024 Windows Update.exe
Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

2024 Windows Update.exe
Loads dropped DLL 1 IoCs

Processes:

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe

pid process

1196 9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
4 whatismyipaddress.com
6 whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Windows Update.exe

description pid process target process

PID 2024 set thread context of 528 2024 Windows Update.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

description	pid	process	target process
PID 2024 set thread context of 528	2024	Windows Update.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	process
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe
2024	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 2024 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

2024 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	2024	Windows Update.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exeWindows Update.exe

description	pid	process	target process
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 1196 wrote to memory of 2024	1196	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe
PID 2024 wrote to memory of 528	2024	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe
"C:\Users\Admin\AppData\Local\Temp\9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
1c120a0ac5077750b290f14a3f3e026b

SHA1
8854921b58b4ac35ef13c83361d64d3bcc97ed01

SHA256
8b12e5460a8fef3973196261dbc617ba8164fb12661aa08568d0bdc2f6d8906a

SHA512
dbb918e4c267822e13c11c834a31ddc60d1f3b2604266bc2ac948d9539e6e89a491da67f0077df4a135ab3ee39cb4658c89bf1c8752a86961b4591c08f7b6e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
407KB

MD5
98518cfa1ad6fb3be1bcd3ba5fd0847d

SHA1
ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26

SHA256
9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

SHA512
bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
407KB

MD5
98518cfa1ad6fb3be1bcd3ba5fd0847d

SHA1
ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26

SHA256
9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

SHA512
bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
407KB

MD5
98518cfa1ad6fb3be1bcd3ba5fd0847d

SHA1
ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26

SHA256
9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

SHA512
bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79

Download Submit
memory/528-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/528-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/528-66-0x0000000000442628-mapping.dmp

Download
memory/528-71-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/528-73-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1196-61-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1196-55-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-62-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download
memory/2024-64-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-68-0x0000000001FB5000-0x0000000001FC6000-memory.dmp

Filesize
68KB

Download
memory/2024-74-0x0000000001FB5000-0x0000000001FC6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads