hawkeye | 1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

Analysis

max time kernel
151s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
Size

818KB
MD5

370d9823164b3e2d07447851db75c80d
SHA1

30a9b34ae7600c776326a413823983c6d28d3e27
SHA256

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc
SHA512

278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db
SSDEEP

12288:PARn9Ur93VDNqvaHg8IeRfTcdhP2FQHw5Nh4/AioaioBiVO7zW:W9i93DxCeRAdhPup/43JzW

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/604-66-0x00000000065F0000-0x0000000006680000-memory.dmp	MailPassView
behavioral1/memory/604-69-0x0000000077450000-0x00000000775D0000-memory.dmp	MailPassView
behavioral1/memory/340-99-0x00000000002F0000-0x0000000000380000-memory.dmp	MailPassView
behavioral1/memory/340-98-0x00000000002F2000-0x000000000037A000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/604-66-0x00000000065F0000-0x0000000006680000-memory.dmp	WebBrowserPassView
behavioral1/memory/604-69-0x0000000077450000-0x00000000775D0000-memory.dmp	WebBrowserPassView
behavioral1/memory/340-99-0x00000000002F0000-0x0000000000380000-memory.dmp	WebBrowserPassView
behavioral1/memory/340-98-0x00000000002F2000-0x000000000037A000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/604-66-0x00000000065F0000-0x0000000006680000-memory.dmp	Nirsoft
behavioral1/memory/604-69-0x0000000077450000-0x00000000775D0000-memory.dmp	Nirsoft
behavioral1/memory/340-99-0x00000000002F0000-0x0000000000380000-memory.dmp	Nirsoft
behavioral1/memory/340-98-0x00000000002F2000-0x000000000037A000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

868 Windows Update.exe
340 Windows Update.exe
Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

340 Windows Update.exe

pid	process
868	Windows Update.exe
340	Windows Update.exe

pid	process
340	Windows Update.exe

Loads dropped DLL 8 IoCs

Processes:

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exeWindows Update.exeWindows Update.exe

pid	process
604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
868	Windows Update.exe
868	Windows Update.exe
868	Windows Update.exe
868	Windows Update.exe
340	Windows Update.exe
340	Windows Update.exe
340	Windows Update.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exeWindows Update.exe

description	pid	process	target process
PID 2036 set thread context of 604	2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
PID 868 set thread context of 340	868	Windows Update.exe	Windows Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 340 Windows Update.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exeWindows Update.exeWindows Update.exe

pid process

2036 1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
868 Windows Update.exe
340 Windows Update.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exeWindows Update.exe

pid process

604 1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
340 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	340	Windows Update.exe

pid	process
2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
868	Windows Update.exe
340	Windows Update.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exeWindows Update.exe

description	pid	process	target process
PID 2036 wrote to memory of 604	2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
PID 2036 wrote to memory of 604	2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
PID 2036 wrote to memory of 604	2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
PID 2036 wrote to memory of 604	2036	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 604 wrote to memory of 868	604	1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe
PID 868 wrote to memory of 340	868	Windows Update.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
"C:\Users\Admin\AppData\Local\Temp\1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe
C:\Users\Admin\AppData\Local\Temp\1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\Windows Update.exe
C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
5f12810b8754eac1e93973ab585b59bc

SHA1
548d9230c02f01013f59005c27ced1a6148fe635

SHA256
ba4814970e9eb30acc206feb932303c7add37fb552a7b628f6d6fe11f28fa96f

SHA512
6c50c2e6399127bc7df86e5a17ff846a717fdfb523ed0fbd82667d90d9fab9c0b61ad420d595e79f02e9350cecb339afa90172b52fdf7bb193d6b8b7197a8a68

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
818KB

MD5
370d9823164b3e2d07447851db75c80d

SHA1
30a9b34ae7600c776326a413823983c6d28d3e27

SHA256
1aef44002f72885fbdb2c2d3b1c9b872fe9435d904d3411e90bc14291fdc2cdc

SHA512
278dcc98b3a0f7990cffc12d83bd63b0a27911356cc61f91481998afb422a0a60bf0f86bf0f89529687311862d99fc704448bea91c41ab2e4979d3c4f35007db

Download Submit
memory/340-98-0x00000000002F2000-0x000000000037A000-memory.dmp

Filesize
544KB

Download
memory/340-94-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/340-108-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/340-107-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/340-106-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/340-104-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/340-103-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/340-102-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/340-101-0x0000000008D70000-0x0000000009868000-memory.dmp

Filesize
11.0MB

Download
memory/340-85-0x00000000004AB743-mapping.dmp

Download
memory/340-99-0x00000000002F0000-0x0000000000380000-memory.dmp

Filesize
576KB

Download
memory/604-70-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/604-76-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/604-69-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/604-71-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/604-58-0x00000000004AB743-mapping.dmp

Download
memory/604-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/604-66-0x00000000065F0000-0x0000000006680000-memory.dmp

Filesize
576KB

Download
memory/604-77-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/868-73-0x0000000000000000-mapping.dmp

Download
memory/868-88-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/2036-56-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/2036-59-0x0000000077450000-0x00000000775D0000-memory.dmp

Filesize
1.5MB

Download
memory/2036-57-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download