hawkeye | b352a1acc928c427fd002159fa9fef4fb83f5e00517e4724c9f99666ba156255

Analysis

max time kernel
171s
max time network
174s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Level7Free.exe
Size

1.1MB
MD5

1fa6f3e74dd5a7ef2fefc826a20dcec7
SHA1

683b903de198378eed2bf8b0fc81a357d71885e3
SHA256

b352a1acc928c427fd002159fa9fef4fb83f5e00517e4724c9f99666ba156255
SHA512

1068a4a3cb145d02b501ea81bb938793f70fe80479a88b919b6ef1b0d35a8402aa777bdd59d85530ee7cd9410dcc165bfdcf4bbf6f07db6e21653c68357fa829
SSDEEP

24576:bKFuHlslz9lTWEHpqCHFZ19P98/eGAsB9LPx4GjiRtwBYcWJ:bKFuHlUz9laEHpZlZ19P98/8k9LPxHQ3

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/688-69-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/688-71-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/688-73-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/688-75-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/540-76-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/540-78-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/540-80-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/540-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral1/memory/688-69-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/688-71-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/688-73-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/688-75-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/540-76-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/540-78-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/540-80-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/540-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
576	EBFile_1.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	Level7Free.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Level7Free.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 688	1720	Level7Free.exe	31
PID 1720 set thread context of 540	1720	Level7Free.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	Level7Free.exe
1720	Level7Free.exe
1720	Level7Free.exe
1720	Level7Free.exe
1720	Level7Free.exe
1720	Level7Free.exe
1720	Level7Free.exe
576	EBFile_1.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe
1720	Level7Free.exe
576	EBFile_1.exe
1720	Level7Free.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	Level7Free.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	Level7Free.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 576	1720	Level7Free.exe	29
PID 1720 wrote to memory of 576	1720	Level7Free.exe	29
PID 1720 wrote to memory of 576	1720	Level7Free.exe	29
PID 1720 wrote to memory of 576	1720	Level7Free.exe	29
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 688	1720	Level7Free.exe	31
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32
PID 1720 wrote to memory of 540	1720	Level7Free.exe	32

C:\Users\Admin\AppData\Local\Temp\Level7Free.exe
"C:\Users\Admin\AppData\Local\Temp\Level7Free.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
  "C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
  2⤵
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe

Filesize
12KB

MD5
22ebb12b7a9dac8c343a0e2cdbd9f855

SHA1
358ee416cf40e1c65d5747f5a9ccea752540b140

SHA256
ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85

SHA512
1eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\EBFile_1.exe

Filesize
12KB

MD5
22ebb12b7a9dac8c343a0e2cdbd9f855

SHA1
358ee416cf40e1c65d5747f5a9ccea752540b140

SHA256
ad22c3a1fb23fd68e0b6d41fd49a69cc80519a704ef0eca098b1c17da9e13f85

SHA512
1eab380778e4ebce2a94cd94c0541f066ad3a3b692df87e1823bed8fdc5ed1578cc7e8b5d9d4f11051832b44194b5cb0aeb9ba357c83e9c09dcece8d5f52905d

Download Submit
memory/540-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/540-76-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/540-83-0x0000000000460000-0x00000000004C7000-memory.dmp

Filesize
412KB

Download
memory/540-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/540-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/688-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/688-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/688-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/688-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-72-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-63-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-79-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-54-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-55-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-61-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-62-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/1720-85-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download