hawkeye | f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Size

341KB
MD5

a491c799d482368deccdf8d9c47ac62d
SHA1

29c23737756a17bb386cffe9404336f24d4a4c8c
SHA256

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512

f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
SSDEEP

6144:pJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHS:xDXXbQL31z7KFCoNrFGdOJa9f5eRS

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

pid process

1436 svchost.exe
1752 svchost.exe
332 audiodgi.exe
5024 wmpmetwk.exe
3352 wmpmetwk.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exewmpmetwk.exe

description	pid	process	target process
PID 1436 set thread context of 1752	1436	svchost.exe	svchost.exe
PID 5024 set thread context of 3352	5024	wmpmetwk.exe	wmpmetwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4896 1752 WerFault.exe svchost.exe
4308 3352 WerFault.exe wmpmetwk.exe

pid	pid_target	process	target process
4896	1752	WerFault.exe	svchost.exe
4308	3352	WerFault.exe	wmpmetwk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeaudiodgi.exewmpmetwk.exe

pid	process
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe
332	audiodgi.exe
5024	wmpmetwk.exe
1436	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exe

description	pid	process
Token: SeDebugPrivilege	4344	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Token: SeDebugPrivilege	1436	svchost.exe
Token: SeDebugPrivilege	332	audiodgi.exe
Token: SeDebugPrivilege	5024	wmpmetwk.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exe

description	pid	process	target process
PID 4344 wrote to memory of 1436	4344	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 4344 wrote to memory of 1436	4344	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 4344 wrote to memory of 1436	4344	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 1436 wrote to memory of 1752	1436	svchost.exe	svchost.exe
PID 1436 wrote to memory of 1752	1436	svchost.exe	svchost.exe
PID 1436 wrote to memory of 1752	1436	svchost.exe	svchost.exe
PID 1436 wrote to memory of 1752	1436	svchost.exe	svchost.exe
PID 1436 wrote to memory of 332	1436	svchost.exe	audiodgi.exe
PID 1436 wrote to memory of 332	1436	svchost.exe	audiodgi.exe
PID 1436 wrote to memory of 332	1436	svchost.exe	audiodgi.exe
PID 332 wrote to memory of 5024	332	audiodgi.exe	wmpmetwk.exe
PID 332 wrote to memory of 5024	332	audiodgi.exe	wmpmetwk.exe
PID 332 wrote to memory of 5024	332	audiodgi.exe	wmpmetwk.exe
PID 5024 wrote to memory of 3352	5024	wmpmetwk.exe	wmpmetwk.exe
PID 5024 wrote to memory of 3352	5024	wmpmetwk.exe	wmpmetwk.exe
PID 5024 wrote to memory of 3352	5024	wmpmetwk.exe	wmpmetwk.exe
PID 5024 wrote to memory of 3352	5024	wmpmetwk.exe	wmpmetwk.exe

C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
"C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 84
4⤵
- Program crash
PID:4896

C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
5⤵
- Executes dropped EXE
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 80
6⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1752 -ip 1752
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3352 -ip 3352
1⤵
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
105B

MD5
fc25c3b01b648207bf8db948858fc547

SHA1
5b06754b8fe5e58d6b1362bdecddec4aa9409191

SHA256
e532f4ede6191bf01838b4b4fe9d00eb251562a517e060d20f522af94ee561cf

SHA512
95646c5a3d5744528475c4f3210d43200c6bb93971f9a38be270e40e34524241df543c6d9248a340dd0d1e28ba525fd49e5869a7ac4afa611b4af495f8c729e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
7KB

MD5
2e18e07194565987ef816f36c4a2134e

SHA1
5278b14dc0704abd700264bb9f8610caf5d007eb

SHA256
44c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7

SHA512
7160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
7KB

MD5
2e18e07194565987ef816f36c4a2134e

SHA1
5278b14dc0704abd700264bb9f8610caf5d007eb

SHA256
44c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7

SHA512
7160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
memory/332-152-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/332-143-0x0000000000000000-mapping.dmp

Download
memory/332-149-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/1436-133-0x0000000000000000-mapping.dmp

Download
memory/1436-139-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/1436-151-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/1752-141-0x0000000000000000-mapping.dmp

Download
memory/3352-147-0x0000000000000000-mapping.dmp

Download
memory/4344-138-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-132-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-145-0x0000000000000000-mapping.dmp

Download
memory/5024-150-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-153-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download