hawkeye | eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05

General

Target

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
Size

1021KB
MD5

6c12cc7ca5d34515853fbdcab38c4952
SHA1

42ee498ba3224c39bd5201b674ead9551c50b866
SHA256

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05
SHA512

f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98
SSDEEP

24576:FzCFGMRixipxAm30YLv/NaEqIahdOQkwH1pUPX:WGMYxWaG0Yr/MndZfU

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
tina-sockichina@mail.com
Password:
collins123

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

BrokerInfrastructure.exeAudioEndpointBuilder.exe

pid process

4636 BrokerInfrastructure.exe
3884 AudioEndpointBuilder.exe

pid	process
4636	BrokerInfrastructure.exe
3884	AudioEndpointBuilder.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BrokerInfrastructure.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

85 whatismyipaddress.com
87 whatismyipaddress.com

flow	ioc
85	whatismyipaddress.com
87	whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

description	pid	process	target process
PID 2820 set thread context of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exe

pid	process
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
4636	BrokerInfrastructure.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exeeb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

description	pid	process
Token: SeDebugPrivilege	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
Token: SeDebugPrivilege	4636	BrokerInfrastructure.exe
Token: SeDebugPrivilege	3968	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

pid process

3968 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

pid	process
3968	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exe

description	pid	process	target process
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 3968	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
PID 2820 wrote to memory of 4636	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	BrokerInfrastructure.exe
PID 2820 wrote to memory of 4636	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	BrokerInfrastructure.exe
PID 2820 wrote to memory of 4636	2820	eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe	BrokerInfrastructure.exe
PID 4636 wrote to memory of 3884	4636	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 4636 wrote to memory of 3884	4636	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 4636 wrote to memory of 3884	4636	BrokerInfrastructure.exe	AudioEndpointBuilder.exe

C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
"C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
"C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1021KB

MD5
6c12cc7ca5d34515853fbdcab38c4952

SHA1
42ee498ba3224c39bd5201b674ead9551c50b866

SHA256
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05

SHA512
f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1021KB

MD5
6c12cc7ca5d34515853fbdcab38c4952

SHA1
42ee498ba3224c39bd5201b674ead9551c50b866

SHA256
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05

SHA512
f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
59882082f35cfab34acb407b7e95241c

SHA1
caa21d2c0d24e317b48cc6d998e70e863f5a509d

SHA256
c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d

SHA512
727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98

Download Submit
memory/2820-133-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/2820-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-146-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-144-0x0000000000000000-mapping.dmp

Download
memory/3884-147-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3968-141-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-139-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3968-134-0x0000000000000000-mapping.dmp

Download
memory/4636-136-0x0000000000000000-mapping.dmp

Download
memory/4636-142-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-140-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads