hawkeye | 87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

General

Target

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
Size

228KB
MD5

329f6bbcb2a52df13d255d25dc1bce10
SHA1

455e863b1af3e738abdc6c1d5a2743071a75b584
SHA256

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586
SHA512

2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d
SSDEEP

6144:WpIWTqzmgoJlS5Oz4BS9sqLFuV8G0BjH8K:Wh4mgoJlS5OsGQ8d

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Executes dropped EXE 1 IoCs

pid	Process
4964	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4964	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3520	dw20.exe
Token: SeBackupPrivilege	3520	dw20.exe
Token: SeDebugPrivilege	4964	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4964	Windows Update.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4964	2252	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe	78
PID 2252 wrote to memory of 4964	2252	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe	78
PID 4964 wrote to memory of 3520	4964	Windows Update.exe	82
PID 4964 wrote to memory of 3520	4964	Windows Update.exe	82

C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
"C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1856
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
102B

MD5
f309ad2dda993483bdff07a679c6e674

SHA1
9871564c9a24a31b9fca7bcb6ec1d6a6f5e60d8b

SHA256
b86f228978df92a45cefd086e4d07a96d7a571bda00d955b75f9d41e28c17b37

SHA512
47d1776638d92328c15f4d2a1cb9ec324b1890a6c96909ba6890cc3b23c91e095c5868f28f69cc83c29cfd47f1a7ce1731e0de93b4f0916324d2f4b914fcc6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
228KB

MD5
329f6bbcb2a52df13d255d25dc1bce10

SHA1
455e863b1af3e738abdc6c1d5a2743071a75b584

SHA256
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

SHA512
2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
228KB

MD5
329f6bbcb2a52df13d255d25dc1bce10

SHA1
455e863b1af3e738abdc6c1d5a2743071a75b584

SHA256
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

SHA512
2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d

Download Submit
memory/2252-132-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download
memory/4964-133-0x0000000000000000-mapping.dmp

Download
memory/4964-136-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads