hawkeye | 772930c5c47fe742b60b441f8150edaa558ba9bbf13fb0f751b7d9dbdd828f21

General

Target

d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Size

505KB
MD5

31fdba408133d245e8761d8960b8e568
SHA1

cd2cef468d33024c2dea149f50e0faf7b907130d
SHA256

d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d
SHA512

4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594
SSDEEP

6144:sNxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9F7I:CxQtqB5urTIoYWBQk1E+VF9mOx9q

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
painnerlogger092@gmail.com
Password:
pxfvdhixclsqroly

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	MailPassView
behavioral1/memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	WebBrowserPassView
behavioral1/memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	Nirsoft
behavioral1/memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

580 Windows Update.exe
Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

580 Windows Update.exe
Loads dropped DLL 1 IoCs

Processes:

d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe

pid process

924 d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
3 whatismyipaddress.com
5 whatismyipaddress.com

flow	ioc
6	whatismyipaddress.com
3	whatismyipaddress.com
5	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 580 set thread context of 908	580	Windows Update.exe	vbc.exe
PID 580 set thread context of 744	580	Windows Update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	process
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe
580	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Windows Update.exe

description pid process

Token: SeDebugPrivilege 580 Windows Update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

580 Windows Update.exe

description	pid	process
Token: SeDebugPrivilege	580	Windows Update.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exeWindows Update.exe

description	pid	process	target process
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 924 wrote to memory of 580	924	d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe	Windows Update.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 908	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe
PID 580 wrote to memory of 744	580	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe
"C:\Users\Admin\AppData\Local\Temp\d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
3e584bc9e5182d81e22464ca9d69f641

SHA1
c8456dea7d64d6edb0e109078ec589bdf5eaaff0

SHA256
71d301b79fcbfe0aaa3b5434c6bad96dfcd874b9f943adaf5563b31880548369

SHA512
3bfbc10b1c29fbc26af2730b2237aa0257f5221036270dddaf484bca1488bd1f9927bc63bbff4fa813fa866535122cc722a8def2cd561a34bf0f41808d8b75d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
505KB

MD5
31fdba408133d245e8761d8960b8e568

SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d

SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d

SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
505KB

MD5
31fdba408133d245e8761d8960b8e568

SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d

SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d

SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
Filesize
505KB

MD5
31fdba408133d245e8761d8960b8e568

SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d

SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d

SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
505KB

MD5
31fdba408133d245e8761d8960b8e568

SHA1
cd2cef468d33024c2dea149f50e0faf7b907130d

SHA256
d98055b5dedd4f2cf8f5e018af92c2d8230e520bb32fe5119789c1a9db6a4f0d

SHA512
4b144469a74903cb0c8af0a52aaedf3e5b6676ef2c036cd74081c75e3e7d7869d0f4bd14c5914caf68ebc088285fdbda2e74571093c646c17d03179a783a8594

Download Submit
memory/580-63-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/580-69-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/580-83-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/580-74-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/744-76-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-82-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/908-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/908-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/908-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/908-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/924-54-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads