hawkeye | 91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe
Size

119KB
MD5

6a28e5d59704120b1fed4a972d7ad56e
SHA1

e3dba778f11929b8616e45f2028b59052931e4cd
SHA256

91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15
SHA512

28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85
SSDEEP

1536:pgZut8Y0mh2VAaasBMfjrzpGUqVKpkhzRMecpqx+cnzkZ/qGjtc6B73Gdp+tIVRl:pQut/dzzpfqukhzvHkZ/qovBjG6gRl

Score

10^/10

hawkeye xtremerat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3896-141-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3896-143-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3896-144-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audioadg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe"	audioadg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audioadg.exe

Executes dropped EXE 5 IoCs

Processes:

explorer.exeexplorer.exeaudioadg.exeWmiprwsd.exeWmiprwsd.exe

pid process

3712 explorer.exe
3896 explorer.exe
204 audioadg.exe
4468 Wmiprwsd.exe
4776 Wmiprwsd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audioadg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audioadg.exe"	audioadg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeWmiprwsd.exe

description	pid	process	target process
PID 3712 set thread context of 3896	3712	explorer.exe	explorer.exe
PID 4468 set thread context of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeaudioadg.exeWmiprwsd.exe

pid	process
3712	explorer.exe
204	audioadg.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe
204	audioadg.exe
3712	explorer.exe
4468	Wmiprwsd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exeexplorer.exeaudioadg.exeWmiprwsd.exe

description	pid	process
Token: SeDebugPrivilege	2224	91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe
Token: SeDebugPrivilege	3712	explorer.exe
Token: SeDebugPrivilege	204	audioadg.exe
Token: SeDebugPrivilege	4468	Wmiprwsd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

3896 explorer.exe

pid	process
3896	explorer.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exeexplorer.exeaudioadg.exeWmiprwsd.exe

description	pid	process	target process
PID 2224 wrote to memory of 3712	2224	91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe	explorer.exe
PID 2224 wrote to memory of 3712	2224	91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe	explorer.exe
PID 2224 wrote to memory of 3712	2224	91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 3896	3712	explorer.exe	explorer.exe
PID 3712 wrote to memory of 204	3712	explorer.exe	audioadg.exe
PID 3712 wrote to memory of 204	3712	explorer.exe	audioadg.exe
PID 3712 wrote to memory of 204	3712	explorer.exe	audioadg.exe
PID 204 wrote to memory of 4468	204	audioadg.exe	Wmiprwsd.exe
PID 204 wrote to memory of 4468	204	audioadg.exe	Wmiprwsd.exe
PID 204 wrote to memory of 4468	204	audioadg.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe
PID 4468 wrote to memory of 4776	4468	Wmiprwsd.exe	Wmiprwsd.exe

C:\Users\Admin\AppData\Local\Temp\91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe
"C:\Users\Admin\AppData\Local\Temp\91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
"C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
5⤵
- Executes dropped EXE
PID:4776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
8904b1262dd68fb84b689fc763abdd2a

SHA1
ccfda0d01fc656fbe3e356d7c24c1c25422ff9aa

SHA256
1c5a7073fb1eb3988a6ef165e2fa49df1d0096e251987abcd9d32d1aa65db821

SHA512
5552c83c38d045952d2b690b06e9d6abea48f8e8b451e3f9eac9737d8c1f3bca75c4449e1766c77ff12f1cc56adf04cf86fc168716ef747f8f65e5940f8066a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Wmiprwsd.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
Filesize
11KB

MD5
1f9234338e847b29201862570c2a2a93

SHA1
8ed760481ce31b5d46ea85c9a44e8a3087dd2026

SHA256
5ce7899fc7539800b70a5e90254cf5b087f955f33bf30da909611e1ff9b009b7

SHA512
54ba3dff6d448a6f8298f3f58b0ef085a15a9e829ae54cd85c8643168314f9ccdb206a7ca0ceb82951b3d04d6b7134662c3c382304942d3caeee15267520ef65

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audioadg.exe
Filesize
11KB

MD5
1f9234338e847b29201862570c2a2a93

SHA1
8ed760481ce31b5d46ea85c9a44e8a3087dd2026

SHA256
5ce7899fc7539800b70a5e90254cf5b087f955f33bf30da909611e1ff9b009b7

SHA512
54ba3dff6d448a6f8298f3f58b0ef085a15a9e829ae54cd85c8643168314f9ccdb206a7ca0ceb82951b3d04d6b7134662c3c382304942d3caeee15267520ef65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
119KB

MD5
6a28e5d59704120b1fed4a972d7ad56e

SHA1
e3dba778f11929b8616e45f2028b59052931e4cd

SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15

SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85

Download Submit
memory/204-158-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/204-155-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/204-146-0x0000000000000000-mapping.dmp

Download
memory/2224-132-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/2224-138-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3712-157-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3712-145-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3712-133-0x0000000000000000-mapping.dmp

Download
memory/3896-144-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3896-140-0x0000000000000000-mapping.dmp

Download
memory/3896-143-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3896-141-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4468-148-0x0000000000000000-mapping.dmp

Download
memory/4468-156-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4468-159-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4776-150-0x0000000000000000-mapping.dmp

Download