hawkeye | bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696

General

Target

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
Size

595KB
MD5

c72fe8f5bf2b8ba807567c6d14f778b7
SHA1

d2508b1cd80dbffae32a25af6b67884cec475ac3
SHA256

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696
SHA512

2d5994cd645d4a4a2fbb00ac4c54feed0c8c3690f1bcca8e4c012270a8c9c64186b74dc51aac4a02208cc0be27d79e3d4d3a55b4db5a759ea0b25f3d018457e9
SSDEEP

12288:MgnDOegilNv/nXQmvrI+Yd/CG0dubHTyMu4dxq8yA0bfunDaMgSfX2AuW:fDdNXFvX8d0srW4dw80CnD5VmAuW

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
behavioral2/memory/4004-144-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 9 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\zzz.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
behavioral2/memory/4044-150-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 13 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\zzz.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
behavioral2/memory/4004-144-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4044-150-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

zzz.exeWindows Update.exe

pid process

3324 zzz.exe
2656 Windows Update.exe

pid	process
3324	zzz.exe
2656	Windows Update.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	zzz.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 whatismyipaddress.com
17 whatismyipaddress.com

flow	ioc
15	whatismyipaddress.com
17	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 2656 set thread context of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 set thread context of 4044	2656	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exeWindows Update.exe

pid process

4044 vbc.exe
4044 vbc.exe
2656 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 2656 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

2656 Windows Update.exe

pid	process
4044	vbc.exe
4044	vbc.exe
2656	Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	2656	Windows Update.exe

pid	process
2656	Windows Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exezzz.exeWindows Update.exe

description	pid	process	target process
PID 5004 wrote to memory of 3324	5004	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 5004 wrote to memory of 3324	5004	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 5004 wrote to memory of 3324	5004	bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe	zzz.exe
PID 3324 wrote to memory of 2656	3324	zzz.exe	Windows Update.exe
PID 3324 wrote to memory of 2656	3324	zzz.exe	Windows Update.exe
PID 3324 wrote to memory of 2656	3324	zzz.exe	Windows Update.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4004	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe
PID 2656 wrote to memory of 4044	2656	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe
"C:\Users\Admin\AppData\Local\Temp\bb664c3135559ba510b09cd267cf89164613674be879375d7c92f629456f2696.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzz.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:4004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
41B

MD5
9f088842838e60944c3e28f04e5b933d

SHA1
66087851be274bd639e91710994324274ec258ed

SHA256
2e683191609033732beced3f0dbdcdc632ddc454716ed573dfd86bb74ab46eb0

SHA512
c250e9b9ab1aebc9fdd3739069df4a1a7dd784c10011de71066eb3410c8169f2733ea5bc28f04abe045ffe63ba34cbad4d56ef92799959dc5af7cb49908109e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
756KB

MD5
d1cf1cc4a509d5d98ace7f47b5bf6b55

SHA1
fda7a972da8bfc13a48b020e3e82fbe31c01d2d3

SHA256
05febca606df294d0086dcea6129dfa46b2b2b01663ccd71216142eb60cb749b

SHA512
986a95aa38b096d7fe9b43f7bdfab973443dda9e6c253415b4e2bcb919e2acaab55e1e90c94090148075915a8d88579829a0dba8a72089b22588634d79892dc8

Download Submit
memory/2656-142-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2656-149-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2656-138-0x0000000000000000-mapping.dmp

Download
memory/3324-137-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3324-141-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3324-133-0x0000000000000000-mapping.dmp

Download
memory/4004-144-0x0000000000000000-mapping.dmp

Download
memory/4004-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4044-153-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4044-150-0x0000000000000000-mapping.dmp

Download
memory/4044-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4044-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4044-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5004-136-0x0000000000400000-0x00000000004964F1-memory.dmp

Filesize
601KB

Download
memory/5004-132-0x0000000000400000-0x00000000004964F1-memory.dmp

Filesize
601KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads