hawkeye | 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de

General

Target

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
Size

612KB
MD5

22e87999f93e9368b2272cdd49cf49d7
SHA1

68addbfad46359c58eb68dad524db6294838e02a
SHA256

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de
SHA512

4fff863181463b78b11523eda50ef67b80ae0964996fe4660db31fafa22f5a203551dbd15836534c3c426d2351ca6038a0d1eaeb1833b03c2ca9eefaff00e3e6
SSDEEP

12288:TMF/qkQz5Vj+OMR8HnTgLJuAliyJ5/wd8ln4R0tW1cPOVk:IFvS68HnTgL4yD/wzR0uc

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

description	pid	process	target process
PID 1184 set thread context of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 636 set thread context of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 set thread context of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

pid process

636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

pid	process
636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
Token: SeDebugPrivilege	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
Token: SeDebugPrivilege	1528	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

pid process

636 7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

pid	process
636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exeexplorer.exe7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe

description	pid	process	target process
PID 1184 wrote to memory of 960	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	explorer.exe
PID 1184 wrote to memory of 960	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	explorer.exe
PID 1184 wrote to memory of 960	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	explorer.exe
PID 1184 wrote to memory of 960	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	explorer.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1184 wrote to memory of 636	1184	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
PID 1124 wrote to memory of 608	1124	explorer.exe	WScript.exe
PID 1124 wrote to memory of 608	1124	explorer.exe	WScript.exe
PID 1124 wrote to memory of 608	1124	explorer.exe	WScript.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1528	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe
PID 636 wrote to memory of 1408	636	7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
"C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\connection.vbs
2⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe
"C:\Users\Admin\AppData\Local\Temp\7765f79c31ac9fb10bc37a24b769738c61d2f562b0758c3a0a4ebe176ae0d7de.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\connection.vbs"
2⤵
- Adds Run key to start application
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Roaming\connection.vbs
Filesize
601B

MD5
4ba1f714beec868e73bf021b01928e6a

SHA1
0d1b0f486fea0d3ef4faa31adb1961315d96818c

SHA256
2ab87e11c48880a3bc4f97ee5efc8c541024618bb9c4c9fbde172c8ac981d28e

SHA512
ba08178f2f0cb71f521cdff848afc60a79420b2df29f6087cbd9c4af1d979f7de2b608d2380c585bfee15ce27594c3b2b95cfa7645e1969a6f9168e880273d1a

Download Submit
memory/608-76-0x0000000000000000-mapping.dmp

Download
memory/636-66-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-71-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-61-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-60-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-63-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-65-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-67-0x000000000051BB3E-mapping.dmp

Download
memory/636-91-0x0000000002445000-0x0000000002456000-memory.dmp

Filesize
68KB

Download
memory/636-69-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/636-106-0x0000000002445000-0x0000000002456000-memory.dmp

Filesize
68KB

Download
memory/636-77-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/636-74-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/960-56-0x0000000000000000-mapping.dmp

Download
memory/960-58-0x0000000072071000-0x0000000072073000-memory.dmp

Filesize
8KB

Download
memory/1124-59-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1184-75-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-95-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-96-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-108-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-107-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-105-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-104-0x0000000000460E2D-mapping.dmp

Download
memory/1408-103-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-102-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-100-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1408-98-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1528-83-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-79-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-94-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-92-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-85-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-90-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-78-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-86-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1528-87-0x0000000000462B6D-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads