hawkeye | 87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

General

Target

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
Size

228KB
MD5

329f6bbcb2a52df13d255d25dc1bce10
SHA1

455e863b1af3e738abdc6c1d5a2743071a75b584
SHA256

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586
SHA512

2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d
SSDEEP

6144:WpIWTqzmgoJlS5Oz4BS9sqLFuV8G0BjH8K:Wh4mgoJlS5OsGQ8d

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

4964 Windows Update.exe

pid	process
4964	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Update.exe

pid process

4964 Windows Update.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dw20.exeWindows Update.exe

description pid process

Token: SeBackupPrivilege 3520 dw20.exe
Token: SeBackupPrivilege 3520 dw20.exe
Token: SeDebugPrivilege 4964 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

4964 Windows Update.exe

pid	process
4964	Windows Update.exe

description	pid	process
Token: SeBackupPrivilege	3520	dw20.exe
Token: SeBackupPrivilege	3520	dw20.exe
Token: SeDebugPrivilege	4964	Windows Update.exe

pid	process
4964	Windows Update.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exeWindows Update.exe

description	pid	process	target process
PID 2252 wrote to memory of 4964	2252	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe	Windows Update.exe
PID 2252 wrote to memory of 4964	2252	87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe	Windows Update.exe
PID 4964 wrote to memory of 3520	4964	Windows Update.exe	dw20.exe
PID 4964 wrote to memory of 3520	4964	Windows Update.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
"C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1856
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
f309ad2dda993483bdff07a679c6e674

SHA1
9871564c9a24a31b9fca7bcb6ec1d6a6f5e60d8b

SHA256
b86f228978df92a45cefd086e4d07a96d7a571bda00d955b75f9d41e28c17b37

SHA512
47d1776638d92328c15f4d2a1cb9ec324b1890a6c96909ba6890cc3b23c91e095c5868f28f69cc83c29cfd47f1a7ce1731e0de93b4f0916324d2f4b914fcc6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
228KB

MD5
329f6bbcb2a52df13d255d25dc1bce10

SHA1
455e863b1af3e738abdc6c1d5a2743071a75b584

SHA256
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

SHA512
2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
228KB

MD5
329f6bbcb2a52df13d255d25dc1bce10

SHA1
455e863b1af3e738abdc6c1d5a2743071a75b584

SHA256
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586

SHA512
2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d

Download Submit
memory/2252-132-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download
memory/4964-133-0x0000000000000000-mapping.dmp

Download
memory/4964-136-0x00007FFFDE600000-0x00007FFFDF036000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads