hawkeye | f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09

General

Target

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
Size

2.8MB
MD5

31ea801722a01123197b6715411d0ec7
SHA1

677c6df7d4ab64bba5471a64de1613661ae71fa1
SHA256

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09
SHA512

06de197d739a6f344bd30e595f2521017b6098d7163d91ba280c5d208d02c1fe48d02d3f3c8ff3315ede29338f137582582f7555670ce1157cdee0d0afdf6e3d
SSDEEP

49152:GkthCJW+30AeduWfFhEl200Ql8z8qQrgsm0nCxVi1eXh+t2Sd1FDIA0L1:GaoJh0XuWfFelt0QlUBQsBViURQ2anDI

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 whatismyipaddress.com
10 whatismyipaddress.com
20 whatismyipaddress.com

flow	ioc
8	whatismyipaddress.com
10	whatismyipaddress.com
20	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

description	pid	process
PID 1756 set thread context of 0	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
PID 1756 set thread context of 0	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\.dem	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\.dem\ = "dem_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\dem_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

pid process

1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

description pid process

Token: SeDebugPrivilege 1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exeAcroRd32.exe

pid process

1756 f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
1984 AcroRd32.exe
1984 AcroRd32.exe

pid	process
1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

description	pid	process
Token: SeDebugPrivilege	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe

pid	process
1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
1984	AcroRd32.exe
1984	AcroRd32.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1544	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1756 wrote to memory of 1544	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1756 wrote to memory of 1544	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1756 wrote to memory of 820	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1756 wrote to memory of 820	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1756 wrote to memory of 820	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	rundll32.exe
PID 1544 wrote to memory of 1984	1544	rundll32.exe	AcroRd32.exe
PID 1544 wrote to memory of 1984	1544	rundll32.exe	AcroRd32.exe
PID 1544 wrote to memory of 1984	1544	rundll32.exe	AcroRd32.exe
PID 1544 wrote to memory of 1984	1544	rundll32.exe	AcroRd32.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1620	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 820 wrote to memory of 972	820	rundll32.exe	AcroRd32.exe
PID 820 wrote to memory of 972	820	rundll32.exe	AcroRd32.exe
PID 820 wrote to memory of 972	820	rundll32.exe	AcroRd32.exe
PID 820 wrote to memory of 972	820	rundll32.exe	AcroRd32.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe
PID 1756 wrote to memory of 1572	1756	f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe
"C:\Users\Admin\AppData\Local\Temp\f50b2f5af621d3488b72b25b80d656e9f7a111e76679f0afa0d4e36a99ccce09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BFile_1.dem
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_1.dem"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BFile_2.dem
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BFile_2.dem"
3⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
2⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFile_1.dem
Filesize
185KB

MD5
56e5cb2ff918129380a87ed472ba3a8f

SHA1
4ec79985325fc6d3868820eef4a7f9ee895354ea

SHA256
5790258bc4123b2ecf535bea377d1f39dbf1bb890d575ac9fac8daded24e9da7

SHA512
798ea294c548e6773a04c5a0a4938bf27330ae9ae83dbf5b85687067f2af3d4a5babec323310015f2d5c8610ae27e0860b41fe44548628e9e65545e1404cb1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFile_2.dem
Filesize
163KB

MD5
2b05237c8f53bcdd1c7918020d04f51e

SHA1
220541db503745d2d112d7ba595577ec68970993

SHA256
f93b208197ded5deacbc4bf8c903c134b716c8e8ea6b983007cccfa46ebf17cd

SHA512
21b19c2b4cac0a6aafd8fadb12c376dfae87f06033dcb9c5b5c18bd2f7f94b352204b650a08a0bce8c6de071b94110fd95979466ddbe8af07da0f914bdcbe3a6

Download Submit
memory/820-58-0x0000000000000000-mapping.dmp

Download
memory/972-64-0x0000000000000000-mapping.dmp

Download
memory/1544-57-0x0000000000000000-mapping.dmp

Download
memory/1544-59-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x000007FEF3710000-0x000007FEF4133000-memory.dmp

Filesize
10.1MB

Download
memory/1756-55-0x000007FEF2670000-0x000007FEF3706000-memory.dmp

Filesize
16.6MB

Download
memory/1756-56-0x00000000022E6000-0x0000000002305000-memory.dmp

Filesize
124KB

Download
memory/1984-61-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads