hawkeye | 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

Analysis

max time kernel
208s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06914834645d9ab3058300de4c756954.exe
Size

410KB
MD5

06914834645d9ab3058300de4c756954
SHA1

437546390ab6be7ab887e82148ba8b923bedd844
SHA256

50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512

08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953
SSDEEP

12288:3w06cUYTczdkibnD3WUgFooE3cVkO3rHGa6vSoW1:7TUHkibDGencVnHq6f

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	06914834645d9ab3058300de4c756954.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	lsn.exe

Deletes itself 1 IoCs

pid	Process
4440	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe"	lsn.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4172	4440	explorer.exe	91
PID 4076 set thread context of 3656	4076	spolsv.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	explorer.exe
1128	lsn.exe
4440	explorer.exe
1128	lsn.exe
1128	lsn.exe
1128	lsn.exe
1128	lsn.exe
1128	lsn.exe
1128	lsn.exe
4440	explorer.exe
1128	lsn.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
1128	lsn.exe
4076	spolsv.exe
4076	spolsv.exe
4440	explorer.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe
4076	spolsv.exe
4440	explorer.exe
1128	lsn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	06914834645d9ab3058300de4c756954.exe
Token: SeDebugPrivilege	4440	explorer.exe
Token: SeDebugPrivilege	1128	lsn.exe
Token: SeDebugPrivilege	4076	spolsv.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4440	784	06914834645d9ab3058300de4c756954.exe	90
PID 784 wrote to memory of 4440	784	06914834645d9ab3058300de4c756954.exe	90
PID 784 wrote to memory of 4440	784	06914834645d9ab3058300de4c756954.exe	90
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 4172	4440	explorer.exe	91
PID 4440 wrote to memory of 1128	4440	explorer.exe	92
PID 4440 wrote to memory of 1128	4440	explorer.exe	92
PID 4440 wrote to memory of 1128	4440	explorer.exe	92
PID 1128 wrote to memory of 4076	1128	lsn.exe	93
PID 1128 wrote to memory of 4076	1128	lsn.exe	93
PID 1128 wrote to memory of 4076	1128	lsn.exe	93
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95
PID 4076 wrote to memory of 3656	4076	spolsv.exe	95

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe
"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
    "C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
      "C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
673c630c339470fb63850411fc5af025

SHA1
938da03d56e1c206abc0fb7d729855a0a877a103

SHA256
64b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70

SHA512
8f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

Filesize
24KB

MD5
0aa7e4dd12b1fc4d899bb86b0fd56233

SHA1
3bbd901ecc48959847deb145da3f3af6dc194afd

SHA256
d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9

SHA512
2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

Filesize
373KB

MD5
e47d13264fbbe29e21869e49a807f5ae

SHA1
d1921b917f876f40cd9fe084c740ef7fc975c707

SHA256
64f359e10527add11f5a66afe42060a8809758fdd4d49d7cd6e7a85d655a70a8

SHA512
e8a76a2cfd6de90a91ddea8803e5d70c17761e738598e34a00e3739593bd93d09cae41719ebd0d8e547f00eb0519a727e424c2410e31b19e6eb098ecbe8c17c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

Filesize
243KB

MD5
bc79ff45c32c61579605c78b4f1cd6e4

SHA1
cc5f5ad7fbeb987037514d9380c1bbb675d2b0c4

SHA256
ba57163a10722a5bfada6db3c984dcb3e8aa96bbcda621ccf2ef986a3cf82c45

SHA512
972fd3ce64a1255f10f3f6cdb66cbad6b36692f2fb5cdfa370d0aa6e3912e38b87f3625491fbdcb2eba4bebf5817bddab09f04432762ee08c525adc663ae9695

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
284KB

MD5
67ef5517548723978e5cd794a876f58d

SHA1
ac66c27a79d3fe09662d24a31694247315c6a89b

SHA256
181cf30af3598295240f2ae55863ba9d8c7644e8fbf1c0fa40fa588a315e9b74

SHA512
6dac233a4f6dfe2ca7a0723ff0ab50d574a846023164f1b77aac5dc9c9e17a8b54ab51042c1ffef1cd7ab694e47ac0f9014524e14a91b750ae2efc97af66daca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
255KB

MD5
405dac6e503e33a3284e1233719180f0

SHA1
2f3bc1521646b29e28616b496112d0508339f2f9

SHA256
f6468459342b6785f6ce899056367b201ea672bfbfc6748637244efa5f813f9a

SHA512
71d5dd83bad80f01ffbd780e87bd68e3351cbdb6a9c52ab37ffc821d4da3097397aee86a3b49d5a1c8a72f95090900e50bb4958f4cc315c25b7038076a902b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
410KB

MD5
06914834645d9ab3058300de4c756954

SHA1
437546390ab6be7ab887e82148ba8b923bedd844

SHA256
50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

SHA512
08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

Download Submit
memory/784-0-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/784-2-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/784-14-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/784-1-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1128-38-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/1128-36-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1128-51-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1128-37-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1128-52-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/4076-44-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4076-42-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/4076-54-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/4076-41-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4076-53-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4172-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4172-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4172-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4172-22-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4440-45-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-49-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/4440-50-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-16-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-13-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-15-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download