hawkeye | bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696

Analysis

max time kernel
66s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
Size

595KB
MD5

c72fe8f5bf2b8ba807567c6d14f778b7
SHA1

d2508b1cd80dbffae32a25af6b67884cec475ac3
SHA256

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696
SHA512

2d5994cd645d4a4a2fbb00ac4c54feed0c8c3690f1bcca8e4c012270a8c9c64186b74dc51aac4a02208cc0be27d79e3d4d3a55b4db5a759ea0b25f3d018457e9
SSDEEP

12288:MgnDOegilNv/nXQmvrI+Yd/CG0dubHTyMu4dxq8yA0bfunDaMgSfX2AuW:fDdNXFvX8d0srW4dw80CnD5VmAuW

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 14 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
behavioral1/memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1596-78-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 14 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
behavioral1/memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/828-85-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 19 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
behavioral1/memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1596-78-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/828-85-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

zzz.exeWindows Update.exe

pid process

1636 zzz.exe
268 Windows Update.exe

pid	process
1636	zzz.exe
268	Windows Update.exe

Loads dropped DLL 5 IoCs

Processes:

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exe

pid	process
1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
1636	zzz.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyipaddress.com
5 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
3	whatismyipaddress.com
5	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 268 set thread context of 1596	268	Windows Update.exe	vbc.exe
PID 268 set thread context of 828	268	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Update.exe

pid process

268 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 268 Windows Update.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

956 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

268 Windows Update.exe

pid	process
268	Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	268	Windows Update.exe

pid	process
956	DllHost.exe

pid	process
268	Windows Update.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exeWindows Update.exe

description	pid	process	target process
PID 1132 wrote to memory of 1636	1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 1132 wrote to memory of 1636	1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 1132 wrote to memory of 1636	1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 1132 wrote to memory of 1636	1132	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 1636 wrote to memory of 268	1636	zzz.exe	Windows Update.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 1596	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe
PID 268 wrote to memory of 828	268	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
"C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
PID:828

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
41B

MD5
9f088842838e60944c3e28f04e5b933d

SHA1
66087851be274bd639e91710994324274ec258ed

SHA256
2e683191609033732beced3f0dbdcdc632ddc454716ed573dfd86bb74ab46eb0

SHA512
c250e9b9ab1aebc9fdd3739069df4a1a7dd784c10011de71066eb3410c8169f2733ea5bc28f04abe045ffe63ba34cbad4d56ef92799959dc5af7cb49908109e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\lenin.jpg
Filesize
26KB

MD5
16d78b756d288d3c978cbf49decbfa66

SHA1
f512a67bed31a46dbabdaa1a71fe5b25cf3f8dda

SHA256
932beb2b03362e909d62dc2d37b849496be355ee0694467d36673731a34e5b33

SHA512
2417233adada4bf2dbbd05ffaffcccfce9732f56cd032a36fc20c32f921ceca7864fd8e18c77bcdee18ae73e48f538803b2f0d8f6fabb82e11d486a7d557cb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
memory/268-68-0x0000000000000000-mapping.dmp

Download
memory/268-73-0x0000000073400000-0x00000000739AB000-memory.dmp

Filesize
5.7MB

Download
memory/268-76-0x0000000073400000-0x00000000739AB000-memory.dmp

Filesize
5.7MB

Download
memory/828-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/828-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/828-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/828-85-0x0000000000442628-mapping.dmp

Download
memory/828-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1132-63-0x0000000000400000-0x00000000004964F1-memory.dmp

Filesize
601KB

Download
memory/1132-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1132-55-0x0000000000400000-0x00000000004964F1-memory.dmp

Filesize
601KB

Download
memory/1596-78-0x0000000000411654-mapping.dmp

Download
memory/1596-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1596-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1596-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1596-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-74-0x0000000073400000-0x00000000739AB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-66-0x0000000073400000-0x00000000739AB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-61-0x0000000000000000-mapping.dmp

Download