hawkeye | 63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868

General

Target

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
Size

1016KB
MD5

4fcf858d501c24cdb9b14dadc906f5c2
SHA1

d5cf9a07cbc8d1640db4a3d0cfcf6c38905ee104
SHA256

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868
SHA512

704a32765906226c442074c36159756d11db0020d407ca5b2c61f8b01926dd9c46919531450c9593c5bdfb10c269dfef4e8ff2c00ecf8e5f9432aacfba632878
SSDEEP

24576:5yXqa5T1mYh3HZbalXpaQTJUOcsNQwIkWpD13q4UQ+dU:EBTfHZmlXpewQwIkWr3q41+d

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 2 IoCs

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.execsrss.exe

pid process

4984 63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
3024 csrss.exe

pid	process
4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
3024	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 whatismyipaddress.com

flow	ioc
43	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

description	pid	process	target process
PID 1552 set thread context of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 4984 set thread context of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 set thread context of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.exe63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\csrss.exe\:ZONE.identifier:$DATA	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
File created	C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe\:ZONE.identifier:$DATA	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exe

pid	process
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe
3024	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

csrss.exe63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3024	csrss.exe
Token: SeDebugPrivilege	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
Token: SeDebugPrivilege	3512	vbc.exe
Token: SeDebugPrivilege	3904	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

pid process

4984 63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

pid	process
4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe

description	pid	process	target process
PID 1552 wrote to memory of 3376	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	cmd.exe
PID 1552 wrote to memory of 3376	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	cmd.exe
PID 1552 wrote to memory of 3376	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	cmd.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 4984	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
PID 1552 wrote to memory of 3024	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	csrss.exe
PID 1552 wrote to memory of 3024	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	csrss.exe
PID 1552 wrote to memory of 3024	1552	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	csrss.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3512	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe
PID 4984 wrote to memory of 3904	4984	63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
"C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:3376

C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
"C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -proc 4984 C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
Filesize
1016KB

MD5
4fcf858d501c24cdb9b14dadc906f5c2

SHA1
d5cf9a07cbc8d1640db4a3d0cfcf6c38905ee104

SHA256
63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868

SHA512
704a32765906226c442074c36159756d11db0020d407ca5b2c61f8b01926dd9c46919531450c9593c5bdfb10c269dfef4e8ff2c00ecf8e5f9432aacfba632878

Download Submit
C:\Users\Admin\AppData\Local\Temp\63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868.exe
Filesize
1016KB

MD5
4fcf858d501c24cdb9b14dadc906f5c2

SHA1
d5cf9a07cbc8d1640db4a3d0cfcf6c38905ee104

SHA256
63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868

SHA512
704a32765906226c442074c36159756d11db0020d407ca5b2c61f8b01926dd9c46919531450c9593c5bdfb10c269dfef4e8ff2c00ecf8e5f9432aacfba632878

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
1016KB

MD5
4fcf858d501c24cdb9b14dadc906f5c2

SHA1
d5cf9a07cbc8d1640db4a3d0cfcf6c38905ee104

SHA256
63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868

SHA512
704a32765906226c442074c36159756d11db0020d407ca5b2c61f8b01926dd9c46919531450c9593c5bdfb10c269dfef4e8ff2c00ecf8e5f9432aacfba632878

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
1016KB

MD5
4fcf858d501c24cdb9b14dadc906f5c2

SHA1
d5cf9a07cbc8d1640db4a3d0cfcf6c38905ee104

SHA256
63f204b8435481126056af777f85462f0bdc4f5c40c850eeba1df60e56ab7868

SHA512
704a32765906226c442074c36159756d11db0020d407ca5b2c61f8b01926dd9c46919531450c9593c5bdfb10c269dfef4e8ff2c00ecf8e5f9432aacfba632878

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
memory/1552-145-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/1552-132-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/3024-148-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/3024-146-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/3024-142-0x0000000000000000-mapping.dmp

Download
memory/3376-133-0x0000000000000000-mapping.dmp

Download
memory/3512-154-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3512-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3512-152-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3512-151-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3512-149-0x0000000000000000-mapping.dmp

Download
memory/3904-158-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3904-155-0x0000000000000000-mapping.dmp

Download
memory/3904-156-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3904-157-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3904-159-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3904-161-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4984-136-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4984-147-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/4984-137-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4984-135-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4984-141-0x0000000074B60000-0x0000000075111000-memory.dmp

Filesize
5.7MB

Download
memory/4984-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads