hawkeye | 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

General

Target

06914834645d9ab3058300de4c756954.exe
Size

410KB
MD5

06914834645d9ab3058300de4c756954
SHA1

437546390ab6be7ab887e82148ba8b923bedd844
SHA256

50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512

08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953
SSDEEP

12288:3w06cUYTczdkibnD3WUgFooE3cVkO3rHGa6vSoW1:7TUHkibDGencVnHq6f

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Deletes itself 1 IoCs

pid	Process
2168	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	06914834645d9ab3058300de4c756954.exe
2140	06914834645d9ab3058300de4c756954.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2668	2168	explorer.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2168	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	06914834645d9ab3058300de4c756954.exe
Token: SeDebugPrivilege	2168	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2168	2140	06914834645d9ab3058300de4c756954.exe	27
PID 2140 wrote to memory of 2168	2140	06914834645d9ab3058300de4c756954.exe	27
PID 2140 wrote to memory of 2168	2140	06914834645d9ab3058300de4c756954.exe	27
PID 2140 wrote to memory of 2168	2140	06914834645d9ab3058300de4c756954.exe	27
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29
PID 2168 wrote to memory of 2668	2168	explorer.exe	29

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe
"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
    "C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"
    3⤵
    PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
673c630c339470fb63850411fc5af025

SHA1
938da03d56e1c206abc0fb7d729855a0a877a103

SHA256
64b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70

SHA512
8f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

Filesize
24KB

MD5
0aa7e4dd12b1fc4d899bb86b0fd56233

SHA1
3bbd901ecc48959847deb145da3f3af6dc194afd

SHA256
d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9

SHA512
2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
410KB

MD5
06914834645d9ab3058300de4c756954

SHA1
437546390ab6be7ab887e82148ba8b923bedd844

SHA256
50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

SHA512
08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

Download Submit
memory/2140-15-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-1-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-0-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-2-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2168-17-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2168-16-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2168-14-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2168-73-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2168-72-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2548-46-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/2548-52-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-47-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-75-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-74-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/2608-54-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2608-59-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-57-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-77-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-76-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2608-78-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-33-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-26-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-28-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-37-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-44-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2668-39-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-32-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing