hawkeye | 8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
Size

462KB
MD5

5289e448e29eebbe040bc7002856a3ec
SHA1

a212881b0d22a03062a7f9551ef4f44e0daea7f7
SHA256

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14
SHA512

02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2
SSDEEP

12288:fV5ChMDM9UyiyYwCeWJELqxlHDGRmgc5UVLM3WygVIIhGKF:GhLUv9BJDlHwmc2gVrGKF

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

explorer.exelsam.exeMapCmdRun.exe

pid process

1168 explorer.exe
1328 lsam.exe
1324 MapCmdRun.exe
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1168 explorer.exe
Loads dropped DLL 4 IoCs

Processes:

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exeexplorer.exelsam.exe

pid process

1376 8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
1168 explorer.exe
1168 explorer.exe
1328 lsam.exe

pid	process
1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
1168	explorer.exe
1168	explorer.exe
1328	lsam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsam.exe"	lsam.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeMapCmdRun.exe

description	pid	process	target process
PID 1168 set thread context of 660	1168	explorer.exe	AppLaunch.exe
PID 1324 set thread context of 1660	1324	MapCmdRun.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exelsam.exeMapCmdRun.exe

pid	process
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe
1328	lsam.exe
1324	MapCmdRun.exe
1168	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exeexplorer.exelsam.exeMapCmdRun.exe

description	pid	process
Token: SeDebugPrivilege	1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
Token: SeDebugPrivilege	1168	explorer.exe
Token: SeDebugPrivilege	1328	lsam.exe
Token: SeDebugPrivilege	1324	MapCmdRun.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exeexplorer.exelsam.exeMapCmdRun.exe

description	pid	process	target process
PID 1376 wrote to memory of 1168	1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 1376 wrote to memory of 1168	1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 1376 wrote to memory of 1168	1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 1376 wrote to memory of 1168	1376	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 660	1168	explorer.exe	AppLaunch.exe
PID 1168 wrote to memory of 1328	1168	explorer.exe	lsam.exe
PID 1168 wrote to memory of 1328	1168	explorer.exe	lsam.exe
PID 1168 wrote to memory of 1328	1168	explorer.exe	lsam.exe
PID 1168 wrote to memory of 1328	1168	explorer.exe	lsam.exe
PID 1328 wrote to memory of 1324	1328	lsam.exe	MapCmdRun.exe
PID 1328 wrote to memory of 1324	1328	lsam.exe	MapCmdRun.exe
PID 1328 wrote to memory of 1324	1328	lsam.exe	MapCmdRun.exe
PID 1328 wrote to memory of 1324	1328	lsam.exe	MapCmdRun.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe
PID 1324 wrote to memory of 1660	1324	MapCmdRun.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
"C:\Users\Admin\AppData\Local\Temp\8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
"C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
"C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
c38b175c320233adc8545225f60773d3

SHA1
d325516c2e9e2ae1ede27e3fa7169c07a4b3c18c

SHA256
ce75c9239b986e4f1614eb66277fdfc15e14e3ec784651c6bf2c94f7298e4eee

SHA512
3c7914534f44ee3cb790d19ba2132d0dadfda289f3891db72af3eeb03304832f8514b42f4e2357250577ebc1c49898973da6091b23a542adc00483a9090f751e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
memory/660-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-74-0x00000000004557E8-mapping.dmp

Download
memory/660-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-82-0x0000000000401000-0x0000000000456000-memory.dmp

Filesize
340KB

Download
memory/660-69-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/660-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1168-62-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-57-0x0000000000000000-mapping.dmp

Download
memory/1168-114-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-113-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-116-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-91-0x0000000000000000-mapping.dmp

Download
memory/1328-85-0x0000000000000000-mapping.dmp

Download
memory/1328-115-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-112-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-61-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-104-0x00000000004557E8-mapping.dmp

Download