hawkeye | 89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268

General

Target

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe
Size

588KB
MD5

55062296cd82f3b8b5805a06dcb32cf6
SHA1

7c1614ca008dd7f04e6f93ef0daf1379f424af98
SHA256

89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268
SHA512

77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a
SSDEEP

12288:WpR3kwv7SDitmQJLzpiCdcoW50pvYH9HKQ2TTqwmUyL8DSXzNOY4sxN514:JDktiGWmRYhKbTTLUjfr4

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/860-135-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/860-135-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/860-135-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
4452	Windows Update.exe
760	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4452 set thread context of 760	4452	Windows Update.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe
Token: SeDebugPrivilege	4452	Windows Update.exe
Token: SeDebugPrivilege	760	Windows Update.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 4928 wrote to memory of 860	4928	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	83
PID 860 wrote to memory of 4452	860	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	87
PID 860 wrote to memory of 4452	860	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	87
PID 860 wrote to memory of 4452	860	89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe	87
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88
PID 4452 wrote to memory of 760	4452	Windows Update.exe	88

C:\Users\Admin\AppData\Local\Temp\89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe
"C:\Users\Admin\AppData\Local\Temp\89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe
  "C:\Users\Admin\AppData\Local\Temp\89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Roaming\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268.exe.log

Filesize
408B

MD5
04ad5d645afd4aad8257d37d2b197bd9

SHA1
f27458933c22a18ed06c3ef023d9356bae6f5e89

SHA256
519a7b0a515b09c8d149c48a26e782e13decd80c2a2957a751f58801bed026d0

SHA512
34097f7ec87c917ebb2f38a156a33ff1b5f8570141acd666a1fce2cd5d40e464762a3a596a44f078318f92823a7d7b961751c4399040a09e5eddb941f22c4754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.log

Filesize
408B

MD5
04ad5d645afd4aad8257d37d2b197bd9

SHA1
f27458933c22a18ed06c3ef023d9356bae6f5e89

SHA256
519a7b0a515b09c8d149c48a26e782e13decd80c2a2957a751f58801bed026d0

SHA512
34097f7ec87c917ebb2f38a156a33ff1b5f8570141acd666a1fce2cd5d40e464762a3a596a44f078318f92823a7d7b961751c4399040a09e5eddb941f22c4754

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
fb3c82979b10d5771280bb983c0db54d

SHA1
23514bcb3c447cdff1a11c6cee41b1160a4ae44b

SHA256
4ec703d2894fc33b2d045ab356c300fa97241051afd63a684b3d3b4692f2db40

SHA512
af36f95b3e70c1a0be80001f599cafcbd4a1a16711e0e57f7466e3f6ef28302d3a51c95846c4126a25f5329063186311f4530a6c45cb1a99468037aa05b679b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
588KB

MD5
55062296cd82f3b8b5805a06dcb32cf6

SHA1
7c1614ca008dd7f04e6f93ef0daf1379f424af98

SHA256
89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268

SHA512
77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
588KB

MD5
55062296cd82f3b8b5805a06dcb32cf6

SHA1
7c1614ca008dd7f04e6f93ef0daf1379f424af98

SHA256
89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268

SHA512
77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
588KB

MD5
55062296cd82f3b8b5805a06dcb32cf6

SHA1
7c1614ca008dd7f04e6f93ef0daf1379f424af98

SHA256
89a1bd1357e819ccd551b4ccd0b68e0ddb305148b57a2f2de9bd4d7529638268

SHA512
77829cc9ebe22e91cbba845d57e6c66e0f1cfad2840593a14f09bb4e649fefa7faad07053e264a2e74645d5a929449072e7dc01de9daaaa3b91c19455577b26a

Download Submit
memory/760-151-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/760-153-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/860-139-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/860-138-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/860-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/860-144-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4452-143-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4452-145-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4452-150-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-137-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-133-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-132-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing