hawkeye | e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e

General

Target

e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
Size

170KB
MD5

0095463dcec80139f260441f55342f6e
SHA1

c26f18944a0764a399d376b636c7748e0f9505ea
SHA256

e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
SHA512

0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
SSDEEP

3072:7DYClxW48oQyMmEwr+tDDdvT3osib+yg7RXdNW5uWw+ISzuaG5UE6Cs6igErg4bf:7D9/81yRrrQXdvbfib+V7l2njGprs6sh

Score

10^/10

hawkeye xtremerat keylogger persistence rat spyware stealer trojan upx

Malware Config

Signatures

Detect XtremeRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/5076-145-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3500-151-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 3 IoCs

Processes:

explorer.exemvscavAP.exeSiaPort.exe

pid process

3340 explorer.exe
1668 mvscavAP.exe
2380 SiaPort.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe"	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1604-140-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1604-142-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exemvscavAP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mvscavAP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mvscavAP.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeSiaPort.exe

description	pid	process	target process
PID 3340 set thread context of 1604	3340	explorer.exe	AppLaunch.exe
PID 2380 set thread context of 4224	2380	SiaPort.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exemvscavAP.exeSiaPort.exe

pid	process
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe
1668	mvscavAP.exe
2380	SiaPort.exe
3340	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exemvscavAP.exeSiaPort.exe

description	pid	process
Token: SeDebugPrivilege	4928	e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
Token: SeDebugPrivilege	3340	explorer.exe
Token: SeDebugPrivilege	1668	mvscavAP.exe
Token: SeDebugPrivilege	2380	SiaPort.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3500 svchost.exe

pid	process
3500	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exeAppLaunch.exemvscavAP.exeSiaPort.exe

description	pid	process	target process
PID 4928 wrote to memory of 3340	4928	e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe	explorer.exe
PID 4928 wrote to memory of 3340	4928	e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe	explorer.exe
PID 4928 wrote to memory of 3340	4928	e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe	explorer.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 3340 wrote to memory of 1604	3340	explorer.exe	AppLaunch.exe
PID 1604 wrote to memory of 5076	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 5076	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 5076	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 5076	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 4400	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 4400	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 4400	1604	AppLaunch.exe	svchost.exe
PID 3340 wrote to memory of 1668	3340	explorer.exe	mvscavAP.exe
PID 3340 wrote to memory of 1668	3340	explorer.exe	mvscavAP.exe
PID 3340 wrote to memory of 1668	3340	explorer.exe	mvscavAP.exe
PID 1604 wrote to memory of 4284	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 4284	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 4284	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 3500	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 3500	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 3500	1604	AppLaunch.exe	svchost.exe
PID 1604 wrote to memory of 3500	1604	AppLaunch.exe	svchost.exe
PID 1668 wrote to memory of 2380	1668	mvscavAP.exe	SiaPort.exe
PID 1668 wrote to memory of 2380	1668	mvscavAP.exe	SiaPort.exe
PID 1668 wrote to memory of 2380	1668	mvscavAP.exe	SiaPort.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe
PID 2380 wrote to memory of 4224	2380	SiaPort.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
"C:\Users\Admin\AppData\Local\Temp\e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:5076

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4400

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4284

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
c9da99e1ffd31fc2dbf0764ab7cfff72

SHA1
93f84ebb0bdfe9ce96f028fde3c877513f16f3a9

SHA256
7c7f55972198db856af338942a34015f76a4d628f74be891ba05c4a1631f649f

SHA512
831d19099248958e7078854c111d49e739c5d5ae40aff2d785e13a33807c0fa9695202d8424299ceed017792e465f8cd0aa579689fbf4e38194c844205ae5ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
170KB

MD5
0095463dcec80139f260441f55342f6e

SHA1
c26f18944a0764a399d376b636c7748e0f9505ea

SHA256
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e

SHA512
0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
170KB

MD5
0095463dcec80139f260441f55342f6e

SHA1
c26f18944a0764a399d376b636c7748e0f9505ea

SHA256
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e

SHA512
0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
38KB

MD5
53e6c622c66f33d787b8be3fb9fcf606

SHA1
3422385a97ed913cd91d14caaffbe61933d31907

SHA256
861100189fbe2faa23a28bb8dd1b755aec30ce57641a60ea0f4ef6b9bd11ecb5

SHA512
72c57805a045f86b2f5541e4fae41e7bdfe2c030c1a0b33eba31db7b93818c7695c3eb817d31b770885b84e53011055db4e32fef9c29e822a682b04b143a4d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
38KB

MD5
53e6c622c66f33d787b8be3fb9fcf606

SHA1
3422385a97ed913cd91d14caaffbe61933d31907

SHA256
861100189fbe2faa23a28bb8dd1b755aec30ce57641a60ea0f4ef6b9bd11ecb5

SHA512
72c57805a045f86b2f5541e4fae41e7bdfe2c030c1a0b33eba31db7b93818c7695c3eb817d31b770885b84e53011055db4e32fef9c29e822a682b04b143a4d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\P3dGcZj.cfg
Filesize
1KB

MD5
bff0cf7ee4da7954bf2032dbf2dd0879

SHA1
e5d5513fb6fd8a86927b6c34854b992672a1947f

SHA256
26a87b785a61e8d3cd1d594bc51a55632c0073ccfe9131d046c4c715d1f58ce5

SHA512
881c378ad2bd4b417d730940ba437d997f00dfcc93e582fac13ae79f6fc859fbca898f21a6611c5bf3ce8e067877669771734d2cf62486045482ed8c4076b46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
170KB

MD5
0095463dcec80139f260441f55342f6e

SHA1
c26f18944a0764a399d376b636c7748e0f9505ea

SHA256
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e

SHA512
0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
170KB

MD5
0095463dcec80139f260441f55342f6e

SHA1
c26f18944a0764a399d376b636c7748e0f9505ea

SHA256
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e

SHA512
0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47

Download Submit
memory/1604-138-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1604-140-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1668-165-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1668-160-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1668-147-0x0000000000000000-mapping.dmp

Download
memory/2380-162-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2380-152-0x0000000000000000-mapping.dmp

Download
memory/2380-167-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3340-139-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3340-164-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3340-133-0x0000000000000000-mapping.dmp

Download
memory/3500-151-0x0000000000000000-mapping.dmp

Download
memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4224-154-0x0000000000000000-mapping.dmp

Download
memory/4928-132-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/4928-136-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/5076-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads