hawkeye | 70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c

General

Target

70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe
Size

1.8MB
MD5

6c5a683b8c5437c9948af6f1f24122ad
SHA1

68e2768d5302a42f59cf05c80dbef5177fecc5fe
SHA256

70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c
SHA512

84a9b4b295be773f589c89db2b5e2d5c58fff1b941d51cfdaae02a7cc4e650bb9becca7fa7d6c3e8b9596b5b29393cf3da2106ec0601785c52bb1a9b12b3179a
SSDEEP

24576:H2O/GlzEWEOTFzd02il9LqErkrbF/E7xse1m95l1ypaIdxvHWPSKa7kBEXZN7PNQ:HXOTF+ZvWEk/h95yvd8gkBEJNz5Q

Score

10^/10

hawkeye collection evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 1 IoCs

Processes:

ghmvnppkfwer.exe

pid process

4956 ghmvnppkfwer.exe

pid	process
4956	ghmvnppkfwer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe	upx
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe	upx
behavioral2/memory/4956-136-0x0000000000140000-0x00000000001FD000-memory.dmp	upx
behavioral2/memory/4956-137-0x0000000000140000-0x00000000001FD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ghmvnppkfwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\27165O~1 = "C:\\Users\\Admin\\27165O~1\\kuoqauiufyss.vbs"	ghmvnppkfwer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ghmvnppkfwer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ghmvnppkfwer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ghmvnppkfwer.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 whatismyipaddress.com
34 whatismyipaddress.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ghmvnppkfwer.exe

flow	ioc
32	whatismyipaddress.com
34	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

ghmvnppkfwer.exeRegSvcs.exe

description	pid	process	target process
PID 4956 set thread context of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 3396 set thread context of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 set thread context of 2088	3396	RegSvcs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ghmvnppkfwer.exeRegSvcs.exe

pid process

4956 ghmvnppkfwer.exe
4956 ghmvnppkfwer.exe
4956 ghmvnppkfwer.exe
4956 ghmvnppkfwer.exe
3396 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exevbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 3396 RegSvcs.exe
Token: SeDebugPrivilege 808 vbc.exe
Token: SeDebugPrivilege 2088 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3396 RegSvcs.exe

pid	process
4956	ghmvnppkfwer.exe
4956	ghmvnppkfwer.exe
4956	ghmvnppkfwer.exe
4956	ghmvnppkfwer.exe
3396	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	808	vbc.exe
Token: SeDebugPrivilege	2088	vbc.exe

pid	process
3396	RegSvcs.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exeghmvnppkfwer.exeRegSvcs.exe

description	pid	process	target process
PID 1768 wrote to memory of 4956	1768	70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe	ghmvnppkfwer.exe
PID 1768 wrote to memory of 4956	1768	70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe	ghmvnppkfwer.exe
PID 1768 wrote to memory of 4956	1768	70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe	ghmvnppkfwer.exe
PID 4956 wrote to memory of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 4956 wrote to memory of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 4956 wrote to memory of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 4956 wrote to memory of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 4956 wrote to memory of 3396	4956	ghmvnppkfwer.exe	RegSvcs.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 808	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe
PID 3396 wrote to memory of 2088	3396	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe
"C:\Users\Admin\AppData\Local\Temp\70b8144089439dd8d6d4fc8a904bde2408394937a5f6d27bfbd4b2626b4f9f5c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe
"C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe" aswwah
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\27165O~1\lrvt.GUB
Filesize
1.1MB

MD5
93bb3f7a0615c8cb593b4c9b566c43c5

SHA1
e094f02afc6cebfbf0b95001732b69089f06730f

SHA256
67d431f6845b9004edf7dcb2631ef98aed85908b04a4908ab1f3e36daf9bf8ea

SHA512
78b571512653c851585206b57b6be7aae6fc6a67d084bbad2e080ad5d40c7a9d82e73618b388c7bf33bddd3a45caec5e3c1792378d6033e006c49cb538568863

Download Submit
C:\Users\Admin\27165O~1\soksdjgwow.ZWR
Filesize
91B

MD5
aaef5dc2893be0610bc316a889ebe622

SHA1
4a4eced8c28dee38f52697bf00bed5b002935f64

SHA256
1e329364bf195adafdca74919179dcb8398f493abbc5de197d409b3d7bd13ca3

SHA512
8f8584fd904fd7e46534794da50c8e9329974decca9db0110ef06dd888bf2d64315bf69a21371adfa27f5add5a0e4484d64d8177676c8740c0de654bca38be0f

Download Submit
C:\Users\Admin\27165oi8gm8ve1\aswwah
Filesize
646.7MB

MD5
313f15154c468efde1f2969005b14611

SHA1
bd530bb5fe177b66f1d03cff0bb18a98c74d4617

SHA256
875942d497aaeb36382d60ea45d8dd87ef40dd83167e44531fc9cb7cf7131eb8

SHA512
b8b5d617b9c2f0a10b41cf568dc21db302e196bc940e8318d223f70bf58c9579c35159cd85411c965e85aaad9d8f72b76b6b4cda5f4f72dfca22dfd19b806246

Download Submit
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe
Filesize
255KB

MD5
7c00f2416ca6b769f8d65e21660e707e

SHA1
49a51bd688c2b081a8bf12168eb03f716d3bca64

SHA256
89cdd5d690fae929be74743308a7881660c53bcea8a91414658bfbafa2683eb5

SHA512
dd83d619e5d8147255dc7a234bc0c3d5b093cd4b4251bdd3a8b805371420d61803f8dbd20ebbf5b3ed6290eb22ff36109596621f6d8c66c83f1e292fb9b9946f

Download Submit
C:\Users\Admin\27165oi8gm8ve1\ghmvnppkfwer.exe
Filesize
255KB

MD5
7c00f2416ca6b769f8d65e21660e707e

SHA1
49a51bd688c2b081a8bf12168eb03f716d3bca64

SHA256
89cdd5d690fae929be74743308a7881660c53bcea8a91414658bfbafa2683eb5

SHA512
dd83d619e5d8147255dc7a234bc0c3d5b093cd4b4251bdd3a8b805371420d61803f8dbd20ebbf5b3ed6290eb22ff36109596621f6d8c66c83f1e292fb9b9946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
memory/808-152-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/808-148-0x0000000000000000-mapping.dmp

Download
memory/808-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/808-151-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/808-150-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/808-149-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2088-155-0x0000000000000000-mapping.dmp

Download
memory/2088-156-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2088-161-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2088-159-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2088-158-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2088-157-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3396-143-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/3396-141-0x0000000000D00000-0x0000000000E22000-memory.dmp

Filesize
1.1MB

Download
memory/3396-140-0x0000000000000000-mapping.dmp

Download
memory/3396-142-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/3396-146-0x0000000005540000-0x0000000005596000-memory.dmp

Filesize
344KB

Download
memory/3396-144-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/3396-145-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/3396-147-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4956-137-0x0000000000140000-0x00000000001FD000-memory.dmp

Filesize
756KB

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download
memory/4956-136-0x0000000000140000-0x00000000001FD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads