hawkeye | 9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

Analysis

max time kernel
165s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe
Size

407KB
MD5

98518cfa1ad6fb3be1bcd3ba5fd0847d
SHA1

ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26
SHA256

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616
SHA512

bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79
SSDEEP

6144:NbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihCj:NQtqB5urTIoYWBQkv

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

1172 Windows Update.exe

pid	process
1172	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
92	whatismyipaddress.com

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe

description	pid	process	target process
PID 4732 wrote to memory of 1172	4732	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 4732 wrote to memory of 1172	4732	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe
PID 4732 wrote to memory of 1172	4732	9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe
"C:\Users\Admin\AppData\Local\Temp\9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
1c120a0ac5077750b290f14a3f3e026b

SHA1
8854921b58b4ac35ef13c83361d64d3bcc97ed01

SHA256
8b12e5460a8fef3973196261dbc617ba8164fb12661aa08568d0bdc2f6d8906a

SHA512
dbb918e4c267822e13c11c834a31ddc60d1f3b2604266bc2ac948d9539e6e89a491da67f0077df4a135ab3ee39cb4658c89bf1c8752a86961b4591c08f7b6e65

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
407KB

MD5
98518cfa1ad6fb3be1bcd3ba5fd0847d

SHA1
ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26

SHA256
9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

SHA512
bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
407KB

MD5
98518cfa1ad6fb3be1bcd3ba5fd0847d

SHA1
ba6e43ad2bbc0ac1da8e2063649e86ffcbcd6e26

SHA256
9608be066f824c5d08873a5c70301d7168f0130e486d00cc074e2f83426c6616

SHA512
bdede47ac2ba4a17aa62a0aa7452e966428ce0a98456ef138a5170da710fc9664a8b4f31410d92edb98b99887569bb5d6e9b93e539c988ada3a7203187e4df79

Download Submit
memory/1172-133-0x0000000000000000-mapping.dmp

Download
memory/1172-137-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1172-139-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4732-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4732-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download