hawkeye | 8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

General

Target

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
Size

462KB
MD5

5289e448e29eebbe040bc7002856a3ec
SHA1

a212881b0d22a03062a7f9551ef4f44e0daea7f7
SHA256

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14
SHA512

02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2
SSDEEP

12288:fV5ChMDM9UyiyYwCeWJELqxlHDGRmgc5UVLM3WygVIIhGKF:GhLUv9BJDlHwmc2gVrGKF

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

explorer.exelsam.exeMapCmdRun.exe

pid process

4720 explorer.exe
2948 lsam.exe
3684 MapCmdRun.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exelsam.exe8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lsam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsam.exe"	lsam.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeMapCmdRun.exe

description	pid	process	target process
PID 4720 set thread context of 3552	4720	explorer.exe	AppLaunch.exe
PID 3684 set thread context of 4992	3684	MapCmdRun.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exelsam.exeMapCmdRun.exe

pid	process
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe
2948	lsam.exe
3684	MapCmdRun.exe
4720	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exeexplorer.exelsam.exeMapCmdRun.exe

description	pid	process
Token: SeDebugPrivilege	3704	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
Token: SeDebugPrivilege	4720	explorer.exe
Token: SeDebugPrivilege	2948	lsam.exe
Token: SeDebugPrivilege	3684	MapCmdRun.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exeexplorer.exelsam.exeMapCmdRun.exe

description	pid	process	target process
PID 3704 wrote to memory of 4720	3704	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 3704 wrote to memory of 4720	3704	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 3704 wrote to memory of 4720	3704	8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe	explorer.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 3552	4720	explorer.exe	AppLaunch.exe
PID 4720 wrote to memory of 2948	4720	explorer.exe	lsam.exe
PID 4720 wrote to memory of 2948	4720	explorer.exe	lsam.exe
PID 4720 wrote to memory of 2948	4720	explorer.exe	lsam.exe
PID 2948 wrote to memory of 3684	2948	lsam.exe	MapCmdRun.exe
PID 2948 wrote to memory of 3684	2948	lsam.exe	MapCmdRun.exe
PID 2948 wrote to memory of 3684	2948	lsam.exe	MapCmdRun.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe
PID 3684 wrote to memory of 4992	3684	MapCmdRun.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe
"C:\Users\Admin\AppData\Local\Temp\8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
"C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
"C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
c38b175c320233adc8545225f60773d3

SHA1
d325516c2e9e2ae1ede27e3fa7169c07a4b3c18c

SHA256
ce75c9239b986e4f1614eb66277fdfc15e14e3ec784651c6bf2c94f7298e4eee

SHA512
3c7914534f44ee3cb790d19ba2132d0dadfda289f3891db72af3eeb03304832f8514b42f4e2357250577ebc1c49898973da6091b23a542adc00483a9090f751e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\MapCmdRun.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe
Filesize
25KB

MD5
aa71e5cc35970bfb70ac7025f35313d0

SHA1
67683bd42e7565683cc4d04f80987bf0422e05c6

SHA256
aa5bbcac32099d2c979dfdd9b7e303dd1f3e5a1a08b1ae798f0a60951c64c398

SHA512
68ee70174978c51a024e7ea7edf8c83afbd3b2ad57bb897f40c7c8924d013dabc36d4125c3244b951bb5b7009cb26b74505d821d3a5067d1bd728203c9c96e26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
462KB

MD5
5289e448e29eebbe040bc7002856a3ec

SHA1
a212881b0d22a03062a7f9551ef4f44e0daea7f7

SHA256
8e89fff7e939ec32597c28b501636986b5ee5c55e6536a138bcc71784c79fd14

SHA512
02328e9ffaf1cf0e447120bcbb5b6308de364af4449ea0b89002fe248b456b861e32e56a7475b0ced12202d9065a7d2dffdeb7aa6ed0497191e898219ed96cd2

Download Submit
memory/2948-143-0x0000000000000000-mapping.dmp

Download
memory/2948-153-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/2948-156-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3552-139-0x0000000000000000-mapping.dmp

Download
memory/3552-140-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3552-141-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3552-142-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3684-147-0x0000000000000000-mapping.dmp

Download
memory/3684-154-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3684-157-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3704-132-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3704-136-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4720-137-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4720-155-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4720-133-0x0000000000000000-mapping.dmp

Download
memory/4992-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads