hawkeye | afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39701f5c18d18cd690f7ded4f1ea958e.exe
Size

92KB
MD5

39701f5c18d18cd690f7ded4f1ea958e
SHA1

982abd7a3c93c48536917a958fc97252f5e225e1
SHA256

afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512

cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
SSDEEP

1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	39701f5c18d18cd690f7ded4f1ea958e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	mvscavAP.exe

Deletes itself 1 IoCs

pid	Process
2444	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 1320	2444	explorer.exe	92
PID 1500 set thread context of 1684	1500	SiaPort.exe	95

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File opened for modification	C:\WINDOWS\ctfmon.exe	AppLaunch.exe
File created	C:\WINDOWS\ctfmon.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1600	reg.exe
2052	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
2444	explorer.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
1500	SiaPort.exe
1500	SiaPort.exe
2444	explorer.exe
2444	explorer.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
1500	SiaPort.exe
1500	SiaPort.exe
2444	explorer.exe
2444	explorer.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
1500	SiaPort.exe
1500	SiaPort.exe
2444	explorer.exe
2444	explorer.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
1500	SiaPort.exe
1500	SiaPort.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
2444	explorer.exe
2444	explorer.exe
1500	SiaPort.exe
1500	SiaPort.exe
2948	mvscavAP.exe
2948	mvscavAP.exe
1500	SiaPort.exe
2444	explorer.exe
1500	SiaPort.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	39701f5c18d18cd690f7ded4f1ea958e.exe
Token: SeDebugPrivilege	2444	explorer.exe
Token: SeDebugPrivilege	2948	mvscavAP.exe
Token: SeDebugPrivilege	1500	SiaPort.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1320	AppLaunch.exe
1684	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2444	2936	39701f5c18d18cd690f7ded4f1ea958e.exe	91
PID 2936 wrote to memory of 2444	2936	39701f5c18d18cd690f7ded4f1ea958e.exe	91
PID 2936 wrote to memory of 2444	2936	39701f5c18d18cd690f7ded4f1ea958e.exe	91
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 1320	2444	explorer.exe	92
PID 2444 wrote to memory of 2948	2444	explorer.exe	93
PID 2444 wrote to memory of 2948	2444	explorer.exe	93
PID 2444 wrote to memory of 2948	2444	explorer.exe	93
PID 2948 wrote to memory of 1500	2948	mvscavAP.exe	94
PID 2948 wrote to memory of 1500	2948	mvscavAP.exe	94
PID 2948 wrote to memory of 1500	2948	mvscavAP.exe	94
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1500 wrote to memory of 1684	1500	SiaPort.exe	95
PID 1684 wrote to memory of 1600	1684	AppLaunch.exe	96
PID 1684 wrote to memory of 1600	1684	AppLaunch.exe	96
PID 1684 wrote to memory of 1600	1684	AppLaunch.exe	96
PID 1320 wrote to memory of 2052	1320	AppLaunch.exe	97
PID 1320 wrote to memory of 2052	1320	AppLaunch.exe	97
PID 1320 wrote to memory of 2052	1320	AppLaunch.exe	97

C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e.exe
"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - UAC bypass
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2052
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
      "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        UAC bypass
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\reg.exe
        
        reg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
4d634b0678f88061679fb99c1e3c66da

SHA1
330746fbe8df353ceccdfa2207684d6e57572fbf

SHA256
8ca25fc3a20c1327a273453ed50f225e1c11f1c51b6e00762050b3bb3ed11837

SHA512
8d5565ba903d393fc048561da4b0da32f6c459ff6e9a5119f5da970571a12ae097f829718c5b994ea094fc8fc4c3325ba434ae03f02d0f9c3abd75d3d5451a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
7KB

MD5
1e065c8186d7d23b9fad718e030ad963

SHA1
ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904

SHA256
45c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb

SHA512
feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
92KB

MD5
39701f5c18d18cd690f7ded4f1ea958e

SHA1
982abd7a3c93c48536917a958fc97252f5e225e1

SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c

SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff

Download Submit
C:\WINDOWS\ctfmon.exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
memory/1320-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1500-58-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-57-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-44-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/1500-42-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-47-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-14-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-54-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-16-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-55-0x0000000001A00000-0x0000000001A10000-memory.dmp

Filesize
64KB

Download
memory/2444-15-0x0000000001A00000-0x0000000001A10000-memory.dmp

Filesize
64KB

Download
memory/2936-13-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2936-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2948-39-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2948-38-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/2948-37-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2948-56-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download