hawkeye | f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f

General

Target

f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe
Size

540KB
MD5

c340b545e167371f71a21251f16980f7
SHA1

546efcf9a52b1efa0351e71d1e17becfc6a08250
SHA256

f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f
SHA512

314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e
SSDEEP

6144:ku9GDrsbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9DK:zQtqB5urTIoYWBQk1E+VF9mOx9Dw3

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

1984 Windows Update.exe
Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

1984 Windows Update.exe
Loads dropped DLL 1 IoCs

Processes:

f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe

pid process

700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	whatismyipaddress.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	process
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe
1984	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 1984 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1984 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	1984	Windows Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe

description	pid	process	target process
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe
PID 700 wrote to memory of 1984	700	f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe
"C:\Users\Admin\AppData\Local\Temp\f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
464ba472cde35baf02d5bcb42b52a3ab

SHA1
eb03712aacc701a1d7f6f99a3c5ce9f1c9a27df0

SHA256
fe993cc04866d632f36eb3b7e8e64fd6aed5d16b4e089002b9e12d07385c4e19

SHA512
6b95f51130bd439ed076c88e3d57f5cc65d684c8e8915364b1e6ba95290613ae9c07e16a3a83ad2c3f00a8a1806f168ed4a9a6fbc90325e29676583258cce5f5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
540KB

MD5
c340b545e167371f71a21251f16980f7

SHA1
546efcf9a52b1efa0351e71d1e17becfc6a08250

SHA256
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f

SHA512
314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
540KB

MD5
c340b545e167371f71a21251f16980f7

SHA1
546efcf9a52b1efa0351e71d1e17becfc6a08250

SHA256
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f

SHA512
314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
540KB

MD5
c340b545e167371f71a21251f16980f7

SHA1
546efcf9a52b1efa0351e71d1e17becfc6a08250

SHA256
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f

SHA512
314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e

Download Submit
memory/700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/700-55-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/700-61-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-57-0x0000000000000000-mapping.dmp

Download
memory/1984-63-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-64-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads