hawkeye | 47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe
Size

421KB
MD5

d7785eb032bdc8df551ceda9933688d0
SHA1

5e454bd1f8097155f40bec0d64c60f4aae1c988c
SHA256

47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47
SHA512

f71fcaee801179df15c505a77da079aebe45d80c325bc7f60d4afdd2ed25e1589fa6d20ba6414f2adee05c49add6e337dcf29c0ff3cf6b44c531b8e6d4308c16
SSDEEP

6144:wZuuObR8sVImcyYJnuptejV0rXkSfvyXwXtYV/wADJ2oC9IAyBDxnlYAVjk10k9j:nV+mzLgkvywC2ok9OpC0k9a3hAeXAZ

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 10 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	MailPassView
behavioral1/memory/1996-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1996-84-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1996-87-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1996-91-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/860-99-0x00000000004E0000-0x0000000000520000-memory.dmp	MailPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	WebBrowserPassView
behavioral1/memory/1436-92-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1436-94-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1436-98-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	WebBrowserPassView

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	Nirsoft
behavioral1/memory/1996-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1996-84-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1996-87-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1996-91-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1436-92-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1436-94-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1436-98-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/860-99-0x00000000004E0000-0x0000000000520000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Payment.sfx.exePayment.exe

pid process

376 Payment.sfx.exe
860 Payment.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exePayment.sfx.exedw20.exe

pid process

1280 cmd.exe
376 Payment.sfx.exe
1704 dw20.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
376	Payment.sfx.exe
860	Payment.exe

pid	process
1280	cmd.exe
376	Payment.sfx.exe
1704	dw20.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
3 whatismyipaddress.com
5 whatismyipaddress.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

Payment.exe

description pid process target process

PID 860 set thread context of 1996 860 Payment.exe vbc.exe
PID 860 set thread context of 1436 860 Payment.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
6	whatismyipaddress.com
3	whatismyipaddress.com
5	whatismyipaddress.com

description	pid	process	target process
PID 860 set thread context of 1996	860	Payment.exe	vbc.exe
PID 860 set thread context of 1436	860	Payment.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment.exe

pid	process
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe
860	Payment.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment.exe

description pid process

Token: SeDebugPrivilege 860 Payment.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment.exe

pid process

860 Payment.exe

description	pid	process
Token: SeDebugPrivilege	860	Payment.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.execmd.exePayment.sfx.exePayment.exe

description	pid	process	target process
PID 1324 wrote to memory of 1280	1324	47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe	cmd.exe
PID 1324 wrote to memory of 1280	1324	47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe	cmd.exe
PID 1324 wrote to memory of 1280	1324	47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe	cmd.exe
PID 1324 wrote to memory of 1280	1324	47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe	cmd.exe
PID 1280 wrote to memory of 376	1280	cmd.exe	Payment.sfx.exe
PID 1280 wrote to memory of 376	1280	cmd.exe	Payment.sfx.exe
PID 1280 wrote to memory of 376	1280	cmd.exe	Payment.sfx.exe
PID 1280 wrote to memory of 376	1280	cmd.exe	Payment.sfx.exe
PID 376 wrote to memory of 860	376	Payment.sfx.exe	Payment.exe
PID 376 wrote to memory of 860	376	Payment.sfx.exe	Payment.exe
PID 376 wrote to memory of 860	376	Payment.sfx.exe	Payment.exe
PID 376 wrote to memory of 860	376	Payment.sfx.exe	Payment.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1996	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1436	860	Payment.exe	vbc.exe
PID 860 wrote to memory of 1704	860	Payment.exe	dw20.exe
PID 860 wrote to memory of 1704	860	Payment.exe	dw20.exe
PID 860 wrote to memory of 1704	860	Payment.exe	dw20.exe
PID 860 wrote to memory of 1704	860	Payment.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe
"C:\Users\Admin\AppData\Local\Temp\47596c6f36932852cd7b8127269779861ecbbc32eb994a11b279b0c5da4c2e47.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe
    Payment.sfx.exe -phy6er34w55 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:1996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:1436
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1396
        5⤵
        Loads dropped DLL
        
        PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat

Filesize
37B

MD5
c1c7b88c2e498633661fd417629642e4

SHA1
31f71ea8ed60a6be976892aeb577449b83cac656

SHA256
400295a410683b336d989f0d3f4143909eed33c82a0b6e2bc177b8a468044408

SHA512
528079b772f0ca5e059782b7b93c4f3799bdb895dd1b2e8185b975b1b6cd9ed1e49df3d01717cf55d735e089e8f416b4a8a4c396a64ab5e3772d135bd7457cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\6t5reddsswas.bat

Filesize
37B

MD5
c1c7b88c2e498633661fd417629642e4

SHA1
31f71ea8ed60a6be976892aeb577449b83cac656

SHA256
400295a410683b336d989f0d3f4143909eed33c82a0b6e2bc177b8a468044408

SHA512
528079b772f0ca5e059782b7b93c4f3799bdb895dd1b2e8185b975b1b6cd9ed1e49df3d01717cf55d735e089e8f416b4a8a4c396a64ab5e3772d135bd7457cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe

Filesize
353KB

MD5
161991a5baa0cdd7b0276afc55c15824

SHA1
accb43eba8d28d58536eae0f29fbc5f2108a106c

SHA256
bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c

SHA512
e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe

Filesize
353KB

MD5
161991a5baa0cdd7b0276afc55c15824

SHA1
accb43eba8d28d58536eae0f29fbc5f2108a106c

SHA256
bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c

SHA512
e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe

Filesize
521KB

MD5
b8a34d1b414d8d8aec00b99032692d38

SHA1
3a8ce329277832b268d395eb8b4971eb63cdbbe9

SHA256
524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

SHA512
ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe

Filesize
521KB

MD5
b8a34d1b414d8d8aec00b99032692d38

SHA1
3a8ce329277832b268d395eb8b4971eb63cdbbe9

SHA256
524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

SHA512
ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe

Filesize
521KB

MD5
b8a34d1b414d8d8aec00b99032692d38

SHA1
3a8ce329277832b268d395eb8b4971eb63cdbbe9

SHA256
524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

SHA512
ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Payment.sfx.exe

Filesize
353KB

MD5
161991a5baa0cdd7b0276afc55c15824

SHA1
accb43eba8d28d58536eae0f29fbc5f2108a106c

SHA256
bc1ae4c61d7e9206193494018615e96c56d9002115ef74ccd706e51a9bf7848c

SHA512
e0f9ba4a73cd452947bf813f88721469ccd147cc5caabf5edd20ffebd199d73fe0d54b226a29fd8eed72f8b72ba368fec46b724faa7767a55b437a9ec9283f17

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe

Filesize
521KB

MD5
b8a34d1b414d8d8aec00b99032692d38

SHA1
3a8ce329277832b268d395eb8b4971eb63cdbbe9

SHA256
524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

SHA512
ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Payment.exe

Filesize
521KB

MD5
b8a34d1b414d8d8aec00b99032692d38

SHA1
3a8ce329277832b268d395eb8b4971eb63cdbbe9

SHA256
524bb37a61523b7e6f1d5757c0ca08bd745913343c002f579ba3336a786beaca

SHA512
ab76a40d79442b657ddb0e738d39d25f5334e12723ab94ed31bb189c14ef3eb8e931f098dec3b16380494af79e8d618f89d059b132d1c4d88ba6e3142bdd697a

Download Submit
memory/376-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/860-77-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/860-105-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/860-86-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/860-85-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/860-102-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/860-99-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/1324-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1436-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1436-94-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1436-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1704-125-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1996-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download