hawkeye | 113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
Size

1.9MB
MD5

a18ed45b52b674ecc23b31681255c53a
SHA1

2656689676849653335a992192229818c3beac8b
SHA256

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74
SHA512

83219f39e894c0b6f5f7b62bb2e8b74a10c0fc20cd12257f219098dea835e444acab9037c248f1d50c917e28879b07bb15fe72f50aa944f4d46e893adea23428
SSDEEP

24576:z2O/GltmPqpmf6q4IFn4/WgswzAXkVB3zJ6yU+Kn1g89rDi67g6zwzRQegxP2TRy:T/fZ4Iq/gEBP3zJ6yUNnhb5k1tTRze

Score

10^/10

hawkeye collection evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 1 IoCs

Processes:

dmyhywu.exe

pid process

1464 dmyhywu.exe

pid	process
1464	dmyhywu.exe

Loads dropped DLL 4 IoCs

Processes:

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe

pid	process
1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dmyhywu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	dmyhywu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\2K483J~1 = "C:\\Users\\Admin\\2K483J~1\\nnxebgp.vbs"	dmyhywu.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dmyhywu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dmyhywu.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyipaddress.com
5 whatismyipaddress.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dmyhywu.exe

flow	ioc
3	whatismyipaddress.com
5	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

dmyhywu.exeRegSvcs.exe

description	pid	process	target process
PID 1464 set thread context of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1076 set thread context of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 set thread context of 2004	1076	RegSvcs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dmyhywu.exeRegSvcs.exe

pid process

1464 dmyhywu.exe
1464 dmyhywu.exe
1076 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exevbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 1076 RegSvcs.exe
Token: SeDebugPrivilege 1316 vbc.exe
Token: SeDebugPrivilege 2004 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1076 RegSvcs.exe

pid	process
1464	dmyhywu.exe
1464	dmyhywu.exe
1076	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1076	RegSvcs.exe
Token: SeDebugPrivilege	1316	vbc.exe
Token: SeDebugPrivilege	2004	vbc.exe

pid	process
1076	RegSvcs.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exedmyhywu.exeRegSvcs.exe

description	pid	process	target process
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1544 wrote to memory of 1464	1544	113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe	dmyhywu.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1464 wrote to memory of 1076	1464	dmyhywu.exe	RegSvcs.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 1316	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe
PID 1076 wrote to memory of 2004	1076	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe
"C:\Users\Admin\AppData\Local\Temp\113704a95c7eb6c38e96bd97f82fc364d355afe369a074283e3a44dcecb47e74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\2k483j96b7k7\dmyhywu.exe
"C:\Users\Admin\2k483j96b7k7\dmyhywu.exe" xjgf
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2K483J~1\QFXWZO~1.BAB
Filesize
1.1MB

MD5
6bf1b71b109003e69298829d0efdc18d

SHA1
0432013b3a80cd6ff92f67c90110f2724c403979

SHA256
b371447bcafea9e221b68cbc36d9275785d204458e3118845ab011ddc64018b5

SHA512
946d0d460c084baac462d6ca4bac0c90bd0c531ba479a26f2adeaed76983d011c8c9c592ebe0f9bf39e687b565782f08cce678e5adaa0cca92412ec92ed6c200

Download Submit
C:\Users\Admin\2K483J~1\klnooluqy.HFX
Filesize
89B

MD5
87172b927436d328c16fdd2441effac4

SHA1
bd9af389ce92213d50e5ef6dff04d70e24204fa5

SHA256
b553e9cb69cc265ad2dfacea7430b7b817fa55c0a999daa4265b8ede10ee39f2

SHA512
d3579ceccd74012bdaa9de5c118b1d92c44bcf486991cd3d49df75753609d507a5936c8e438d4ef496b684df15a42cb4bb6f8015e79291298725bdfe61c989fe

Download Submit
C:\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\2k483j96b7k7\xjgf
Filesize
646.7MB

MD5
859590379f35b2be5b773722e9e0efd3

SHA1
183665b95f71a5a0f9476b4e1b47e006e887f9d7

SHA256
57e9177d6bdb8f20f0a822e540573d303bdf742f25403554d55a46998eecbe22

SHA512
cc6868c679c68577859dee931ddc089a12c8219a25ae5783a5c35d10ed0a2716367b308c0aa7aebccce5bea7f88e6884988dbd19feba41bfcb3791a11eebbb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
329B

MD5
f8ddf0fe04f214d64c3e5094ed622858

SHA1
245a91a1c968c45820fbbb319c1bcfc98b01b04e

SHA256
f73d76c930aa76b78390a50ee72b9169c7064b9e1256de76ab9ffb43bca8f5d3

SHA512
e6385a3d47f8969f2079ae28a4e2753c2da60e37601ebd15049e21f1490e7a1ec760a3cc6c8b75a8049aa8a08735a9f24187d7ad13c6ac8d4a5510dc88718900

Download Submit
\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\2k483j96b7k7\dmyhywu.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1076-108-0x0000000000905000-0x0000000000916000-memory.dmp

Filesize
68KB

Download
memory/1076-65-0x00000000000D0000-0x00000000001F2000-memory.dmp

Filesize
1.1MB

Download
memory/1076-67-0x00000000000D0000-0x00000000001F2000-memory.dmp

Filesize
1.1MB

Download
memory/1076-68-0x00000000001EBABE-mapping.dmp

Download
memory/1076-70-0x00000000000D0000-0x00000000001F2000-memory.dmp

Filesize
1.1MB

Download
memory/1076-72-0x00000000000D0000-0x00000000001F2000-memory.dmp

Filesize
1.1MB

Download
memory/1076-74-0x0000000000905000-0x0000000000916000-memory.dmp

Filesize
68KB

Download
memory/1316-78-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-80-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-82-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-83-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-84-0x0000000000462B6D-mapping.dmp

Download
memory/1316-87-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-89-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-76-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1316-91-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1464-59-0x0000000000000000-mapping.dmp

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/2004-93-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-97-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-99-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-100-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-101-0x0000000000460E2D-mapping.dmp

Download
memory/2004-104-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-95-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-107-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2004-92-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download