hawkeye | 957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960

General

Target

957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe
Size

1.9MB
MD5

ec6e22899512d507a32cadda8e8af406
SHA1

2957180a107a7ab59491bad0d840cfc9ba9d7aaf
SHA256

957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960
SHA512

a398bdad1a4a4d0b46d62b34d24a78f6520a5967b9d3f8324b1c2329d234e9ad383f402051e42e813247e4ea7bdc3477dfb49c09c491448a280cc88877878c9a
SSDEEP

49152:AkSXhixEgCOWoNGglFS5h2HKFoqv9kq23p+zY15kFm53Sy9:vSRii5HoGSSaHMoOY15kFm5Z

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 1 IoCs

Processes:

ydhd.exe

pid process

364 ydhd.exe

pid	process
364	ydhd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ydhd.exeRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ydhd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\92hu89v = "C:\\Users\\Admin\\92hu89v\\brpb.vbs"	ydhd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ydhd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ydhd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

71 whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

ydhd.exe

description pid process target process

PID 364 set thread context of 3300 364 ydhd.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ydhd.exe

pid process

364 ydhd.exe
364 ydhd.exe
364 ydhd.exe
364 ydhd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ydhd.exe

description pid process

Token: SeDebugPrivilege 364 ydhd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ydhd.exe

flow	ioc
71	whatismyipaddress.com

description	pid	process	target process
PID 364 set thread context of 3300	364	ydhd.exe	RegSvcs.exe

pid	process
364	ydhd.exe
364	ydhd.exe
364	ydhd.exe
364	ydhd.exe

description	pid	process
Token: SeDebugPrivilege	364	ydhd.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exeydhd.exe

description	pid	process	target process
PID 5064 wrote to memory of 364	5064	957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe	ydhd.exe
PID 5064 wrote to memory of 364	5064	957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe	ydhd.exe
PID 5064 wrote to memory of 364	5064	957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe	ydhd.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe
PID 364 wrote to memory of 3300	364	ydhd.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe
"C:\Users\Admin\AppData\Local\Temp\957da2adfac3c95032ae0b8bbba7beb7288ae7a801e5370fe816dd62b3534960.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\92hu89v\ydhd.exe
"C:\Users\Admin\92hu89v\ydhd.exe" zwlru
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Adds Run key to start application
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\92hu89v\rgymdno.LPP
Filesize
56B

MD5
514139d5e04621e568f933f79857044c

SHA1
b5551316ed86997ffdd57e2b7346fa434af7f3b9

SHA256
38348782d3eea10c23ccb8245af3dfdc80f3f7ad7c1a5e7646dcb1ebb164b633

SHA512
7e4aeaa3884307cf6727347649dccd239658feb1e7849263e076eeba36a0f247f585804862cee6c8e26106f8ad85ca41219ca47f78de8651fc656686ac21add7

Download Submit
C:\Users\Admin\92hu89v\ydhd.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\92hu89v\ydhd.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\92hu89v\yrsmudyp.UUN
Filesize
1.1MB

MD5
96482445028885c9e4e2c73a2b475323

SHA1
ffd9db6cb8111d2e0b8169a44cd4b2e997a9716d

SHA256
06d99edca0fd1553a2ee123d067666fee1167a135e5fa3df0f60c627cda898be

SHA512
15ca6d975095a7464b34b4c79ca242c5c7380da7e15a2f658509b9ea75f901d4dec51f65889ea2615535a62aaa47d2ecb8e4322999035de7078def4e06a4fefc

Download Submit
C:\Users\Admin\92hu89v\zwlru
Filesize
306.2MB

MD5
4b3153d063d02079986478670f2d2423

SHA1
b33167bcb41c3db0a0fc849d970e4be53fc85a21

SHA256
f2c6f1cfcab0da9655494dff0e96c5441b51c4658d928c92e2e5c85a2d1b8bc0

SHA512
5d9c3ea3538266f7e5dfd9d7f732039775b9c707d991668edacbf1c05145031aaca1a2e9642a61b5a1b09e35d8f877ed0467544cc7e975d3ee100b1a9a9c5059

Download Submit
memory/364-132-0x0000000000000000-mapping.dmp

Download
memory/3300-138-0x0000000000000000-mapping.dmp

Download
memory/3300-139-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3300-140-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/3300-141-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads