hawkeye | afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

Analysis

max time kernel
151s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39701f5c18d18cd690f7ded4f1ea958e.exe
Size

92KB
MD5

39701f5c18d18cd690f7ded4f1ea958e
SHA1

982abd7a3c93c48536917a958fc97252f5e225e1
SHA256

afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512

cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
SSDEEP

1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe

Deletes itself 1 IoCs

pid	Process
2700	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe

Loads dropped DLL 6 IoCs

pid	Process
532	39701f5c18d18cd690f7ded4f1ea958e.exe
532	39701f5c18d18cd690f7ded4f1ea958e.exe
2700	explorer.exe
2700	explorer.exe
1924	mvscavAP.exe
1924	mvscavAP.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2752	2700	explorer.exe	29
PID 1636 set thread context of 1560	1636	SiaPort.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2136	reg.exe
2900	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe
1924	mvscavAP.exe
1636	SiaPort.exe
2700	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	39701f5c18d18cd690f7ded4f1ea958e.exe
Token: SeDebugPrivilege	2700	explorer.exe
Token: SeDebugPrivilege	1924	mvscavAP.exe
Token: SeDebugPrivilege	1636	SiaPort.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	AppLaunch.exe
1560	AppLaunch.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2700	532	39701f5c18d18cd690f7ded4f1ea958e.exe	28
PID 532 wrote to memory of 2700	532	39701f5c18d18cd690f7ded4f1ea958e.exe	28
PID 532 wrote to memory of 2700	532	39701f5c18d18cd690f7ded4f1ea958e.exe	28
PID 532 wrote to memory of 2700	532	39701f5c18d18cd690f7ded4f1ea958e.exe	28
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 2752	2700	explorer.exe	29
PID 2700 wrote to memory of 1924	2700	explorer.exe	30
PID 2700 wrote to memory of 1924	2700	explorer.exe	30
PID 2700 wrote to memory of 1924	2700	explorer.exe	30
PID 2700 wrote to memory of 1924	2700	explorer.exe	30
PID 1924 wrote to memory of 1636	1924	mvscavAP.exe	32
PID 1924 wrote to memory of 1636	1924	mvscavAP.exe	32
PID 1924 wrote to memory of 1636	1924	mvscavAP.exe	32
PID 1924 wrote to memory of 1636	1924	mvscavAP.exe	32
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 1636 wrote to memory of 1560	1636	SiaPort.exe	31
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 2752 wrote to memory of 2136	2752	AppLaunch.exe	34
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36
PID 1560 wrote to memory of 2900	1560	AppLaunch.exe	36

C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e.exe
"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - UAC bypass
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2136
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
      "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
1⤵
- UAC bypass
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
4d634b0678f88061679fb99c1e3c66da

SHA1
330746fbe8df353ceccdfa2207684d6e57572fbf

SHA256
8ca25fc3a20c1327a273453ed50f225e1c11f1c51b6e00762050b3bb3ed11837

SHA512
8d5565ba903d393fc048561da4b0da32f6c459ff6e9a5119f5da970571a12ae097f829718c5b994ea094fc8fc4c3325ba434ae03f02d0f9c3abd75d3d5451a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
7KB

MD5
1e065c8186d7d23b9fad718e030ad963

SHA1
ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904

SHA256
45c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb

SHA512
feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23

Download Submit
C:\WINDOWS\ctfmon.exe

Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
92KB

MD5
39701f5c18d18cd690f7ded4f1ea958e

SHA1
982abd7a3c93c48536917a958fc97252f5e225e1

SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff

Download Submit
memory/532-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/532-2-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/532-0-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/532-14-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-74-0x0000000000360000-0x00000000003BF000-memory.dmp

Filesize
380KB

Download
memory/1560-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1636-87-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1636-88-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-61-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-57-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1636-89-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-59-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-51-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-84-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-48-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-86-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1924-85-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-55-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-49-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2700-82-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-83-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2700-17-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-16-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2700-15-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2752-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2752-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2752-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2752-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2752-37-0x00000000002E0000-0x000000000033F000-memory.dmp

Filesize
380KB

Download