hawkeye | 019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd

General

Target

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
Size

653KB
MD5

522853fc7173f637ae423e558c983ecd
SHA1

fc622564e9b8d2d39197969fd857f85188246b50
SHA256

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd
SHA512

676a780af9b5e1b1c1fee6abe990d112f17a541a3dc2a1ea71680e4be56ee6a3155628741bba148841f2760629de0f386f4c6038c52a6772ea0b303d240489dc
SSDEEP

12288:ULmMOBCmXo7OCj+5MlaGBKwFJo6SYrfZfHoA+ybn:ULmxonVj+5MLBK6PrpHZrn

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

4160 Windows Update.exe
1056 Windows Update.exe

pid	process
4160	Windows Update.exe
1056	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 whatismyipaddress.com
18 whatismyipaddress.com

flow	ioc
16	whatismyipaddress.com
18	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1572 set thread context of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 4160 set thread context of 1056	4160	Windows Update.exe	Windows Update.exe
PID 1056 set thread context of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 set thread context of 1540	1056	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exeWindows Update.exe

pid	process
1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
1056	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exeWindows Update.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
Token: SeDebugPrivilege	1056	Windows Update.exe
Token: SeDebugPrivilege	4496	vbc.exe
Token: SeDebugPrivilege	1540	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1572 wrote to memory of 4876	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4876	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4876	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 1572 wrote to memory of 4932	1572	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
PID 4932 wrote to memory of 4160	4932	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	Windows Update.exe
PID 4932 wrote to memory of 4160	4932	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	Windows Update.exe
PID 4932 wrote to memory of 4160	4932	019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 4160 wrote to memory of 1056	4160	Windows Update.exe	Windows Update.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 4496	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe
PID 1056 wrote to memory of 1540	1056	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
"C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
  "C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe"
  2⤵
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe
  "C:\Users\Admin\AppData\Local\Temp\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Roaming\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd.exe.log

Filesize
411B

MD5
68be9441acf351336f840e306d0e4358

SHA1
52ceaf4b571222e189bc627fb0ae00173bcafb35

SHA256
e54172af886c1f85bd1643d7b816829d5b790986fb554d6964d8cd22f27056bd

SHA512
eb5bb2ae41e69017649f352e83c24583b36c3d44e4510d8e6f5462414aae2e01ac3dcf5364d261b6cb3ca101439c1a093504b15d84ca2d7500ed159b08f5800e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.log

Filesize
591B

MD5
beae730ba92f1f46e2abfc3b91e32bbb

SHA1
2410745812a783ffef14e36324ba354ce7e21a6b

SHA256
bf0b3c2472159acec35f9db03bf09ddef6f9e378e982d991add24e71e20bd586

SHA512
5176cd1f5f067b0028863e450fe3daacbe5b736cdadcbfa7e7c150fa96c1cb6df6d0c6635a09d2f0ba08f49052ca8c3fea94cf1c8f520141b1e9ed00a28f16f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
51c13b31a41149833e00bf869af5d9c7

SHA1
498834850c5badd9839a567c527beb37fe50313d

SHA256
05b831d4e65c1759c69354be763e17df10a45a55e78f2bd053ce54f96cce77ad

SHA512
2e441977e6b81e27a7afceb3af0f3d156c7cc601e756d217618edc273bcadbaf8eebf2329dfc60337b04ab4e024c89cb8de2f513e267b53f735a19a325a41579

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
653KB

MD5
522853fc7173f637ae423e558c983ecd

SHA1
fc622564e9b8d2d39197969fd857f85188246b50

SHA256
019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd

SHA512
676a780af9b5e1b1c1fee6abe990d112f17a541a3dc2a1ea71680e4be56ee6a3155628741bba148841f2760629de0f386f4c6038c52a6772ea0b303d240489dc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
653KB

MD5
522853fc7173f637ae423e558c983ecd

SHA1
fc622564e9b8d2d39197969fd857f85188246b50

SHA256
019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd

SHA512
676a780af9b5e1b1c1fee6abe990d112f17a541a3dc2a1ea71680e4be56ee6a3155628741bba148841f2760629de0f386f4c6038c52a6772ea0b303d240489dc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
653KB

MD5
522853fc7173f637ae423e558c983ecd

SHA1
fc622564e9b8d2d39197969fd857f85188246b50

SHA256
019e9e4afa3e3a822eebdf12426db96abe96514bb18710026d5f77effea7c3dd

SHA512
676a780af9b5e1b1c1fee6abe990d112f17a541a3dc2a1ea71680e4be56ee6a3155628741bba148841f2760629de0f386f4c6038c52a6772ea0b303d240489dc

Download Submit
memory/1056-149-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1056-157-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1056-144-0x0000000000000000-mapping.dmp

Download
memory/1540-164-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1540-162-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1540-161-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1540-160-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1540-159-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1540-158-0x0000000000000000-mapping.dmp

Download
memory/1572-136-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-132-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-143-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4160-138-0x0000000000000000-mapping.dmp

Download
memory/4160-148-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4496-156-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4496-151-0x0000000000000000-mapping.dmp

Download
memory/4496-153-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4496-152-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4876-133-0x0000000000000000-mapping.dmp

Download
memory/4932-135-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4932-134-0x0000000000000000-mapping.dmp

Download
memory/4932-137-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4932-142-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads