hawkeye | f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876

General

Target

f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
Size

851KB
MD5

a325f236a67ad2b6358456ab41e1579c
SHA1

f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f
SHA256

f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876
SHA512

e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955
SSDEEP

12288:Edzgfn7tc9g5pdpfeAvdbzseZtzsUrm4GWbhuAmjKwtC2ccq6/C:EdzM7X5RPNTlrm4GWbh0jKuCa/

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.krippspharmacy.com
Port:
587
Username:
mail@krippspharmacy.com
Password:
12Durex@

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

3284 Windows Update.exe
2884 Windows Update.exe

pid	process
3284	Windows Update.exe
2884	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 whatismyipaddress.com

flow	ioc
9	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1332 set thread context of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 3284 set thread context of 2884	3284	Windows Update.exe	Windows Update.exe
PID 2884 set thread context of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 set thread context of 4048	2884	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Update.exe

pid process

2884 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Windows Update.exevbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 2884 Windows Update.exe
Token: SeDebugPrivilege 4816 vbc.exe
Token: SeDebugPrivilege 4048 vbc.exe

pid	process
2884	Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	2884	Windows Update.exe
Token: SeDebugPrivilege	4816	vbc.exe
Token: SeDebugPrivilege	4048	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exef3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 1332 wrote to memory of 4944	1332	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
PID 4944 wrote to memory of 3284	4944	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	Windows Update.exe
PID 4944 wrote to memory of 3284	4944	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	Windows Update.exe
PID 4944 wrote to memory of 3284	4944	f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 3284 wrote to memory of 2884	3284	Windows Update.exe	Windows Update.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4816	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe
PID 2884 wrote to memory of 4048	2884	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
"C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe
"C:\Users\Admin\AppData\Local\Temp\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Windows Update.exe.log
Filesize
680B

MD5
57759fe60eac7d0305440dd783f63f9d

SHA1
5bc02ad2e03aa79a7dd9aad18eaacf09b649f2a2

SHA256
2c69a59f3b25701c3b6ba2bc5e7a406885e2cc4eefdbc9f904d8ead2aedb22f3

SHA512
bde22023288b4e67e17f717b537e578ca3e69725469d9bb29959c9502ceb5029cac146faefc81987cf4ce0d194db7101833d43950bc7d1a2630d975ae3a91a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876.exe.log
Filesize
500B

MD5
010e583858b4b6c97cc79a40ea3b682a

SHA1
820553512ffb533b9c2c31429fe89d82e4baf508

SHA256
96c7b50de55a134534378de700d77dd5ccf780b498d59c631bd19c9e61212ebd

SHA512
00f8097e01d9c9f034d908c10f4fdc5d9cd1041c0352b772795ab5e9ae13c9eaf02fe335cc2634b8feebcef771b371d8a1217e04b9d2a8f14b9ed513d5155f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
c23b4dca2fb385a95fe457abf38f8a12

SHA1
642fa6a8e90a369c7eefd5a7051d00531823e583

SHA256
132d60ed79cc32e5e5da44ef0f444bfb8c0bb66f0f76d39ea8347c65e498fb6d

SHA512
bf150f0d98c936610a6ce15eee63e4213c279d17261e1d242abac2a47fce99e861ff14d9d263c3d69128119ad724ddbc4e4af5e4ad900ef79646d8a1641bda0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
851KB

MD5
a325f236a67ad2b6358456ab41e1579c

SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f

SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876

SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
851KB

MD5
a325f236a67ad2b6358456ab41e1579c

SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f

SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876

SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
851KB

MD5
a325f236a67ad2b6358456ab41e1579c

SHA1
f3d5e9d5bc62a3d9cd67d988adab2fef3a02ff3f

SHA256
f3078cbc60e6e228a4987e41dd247f8d381a761ebebe6f1bcc92be37a3228876

SHA512
e126a54120273f8e6e7029cb6bee629d867c592201688adeb02f2c3ec9ac458715949eb5bad4ad399b1a532b8980c600a42bd021d39f416f913cc003bf6ed955

Download Submit
memory/1332-136-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1332-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2884-150-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2884-148-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2884-143-0x0000000000000000-mapping.dmp

Download
memory/3284-147-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3284-138-0x0000000000000000-mapping.dmp

Download
memory/3284-142-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4048-157-0x0000000000000000-mapping.dmp

Download
memory/4048-163-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4048-161-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4048-160-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4048-159-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4048-158-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4816-151-0x0000000000000000-mapping.dmp

Download
memory/4816-156-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4816-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4816-153-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4816-152-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4944-134-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4944-137-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4944-133-0x0000000000000000-mapping.dmp

Download
memory/4944-141-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads