Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 05:23
Static task
static1
Behavioral task
behavioral1
Sample
HawkEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HawkEye.exe
Resource
win10v2004-20240226-en
General
-
Target
HawkEye.exe
-
Size
232KB
-
MD5
60fabd1a2509b59831876d5e2aa71a6b
-
SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa
-
SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
-
SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
SSDEEP
3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/2208-2-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Detects Reflective DLL injection artifacts 2 IoCs
resource yara_rule behavioral1/memory/2208-9-0x00000000005D0000-0x00000000005EA000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader behavioral1/memory/2208-10-0x00000000005D0000-0x00000000005EA000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader -
Renames multiple (2007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png HawkEye.exe File opened for modification C:\Program Files\PingMeasure.emf HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi HawkEye.exe File opened for modification C:\Program Files\GroupInvoke.pps HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml HawkEye.exe File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.xsl HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\logo.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png HawkEye.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43E7E021-D91E-11EE-B0AE-5E73522EB9B5} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704d46192b6dda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d4139cbcdd6f1c5cf4749ee2948d826455ed376d1ce5e0b4fd0dda76d2e968fe000000000e80000000020000200000008bc46a14ac71cb59383be4f3a7dd74a0afbd907b544e0860961dfa77f77e5f5090000000bb1a35a6cf607ff6f6bb03f8522d47e247cea2fdef2f555852cdb371cdcc467477d73542aef5f61e80f6ea6500618d2be1f0b1a413848a25827cac0678cd9bac3f4b9319cf6a88bdfa3a5966bb9f131376134f17a4a0adbd8308ce592db3029a2dd14264d27bca316fa9d5d31cfe4e08bae0b9f4b2acee60432af9c86287973ae7c0b0a143dca5082d6a863594187dcf40000000cf6165fad616ada9af6e184f57ffc347db942930174d309cc5239710e755545258235d201151e4ed473e57d0dfe670e2f737e137c3c0e822522cf08e256aa967 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415605321" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c2306770000000002000000000010660000000100002000000015da994885ee42e81324f674a8ade317e09c071d48b33f13bbe42034ea6422d3000000000e8000000002000020000000fb3932c49d5b744a4bdaa25be2bc5caf738601879031d9d9bbfe02ac2794c8912000000012cdc309d7c63a1b09ec99e7177d2b76f023826cd25bf2e33efbf195d3d7997b400000000eb794f0790023a69865945491beed10888fd125a94c714c0539b0b0351fa98f1e4cd1ecacd48c83540781831d525b3b9a7ba49276445d2062c5151e023ca188 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2208 HawkEye.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1652 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1652 iexplore.exe 1652 iexplore.exe 2896 IEXPLORE.EXE 2896 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1652 2208 HawkEye.exe 34 PID 2208 wrote to memory of 1652 2208 HawkEye.exe 34 PID 2208 wrote to memory of 1652 2208 HawkEye.exe 34 PID 2208 wrote to memory of 1652 2208 HawkEye.exe 34 PID 1652 wrote to memory of 2896 1652 iexplore.exe 35 PID 1652 wrote to memory of 2896 1652 iexplore.exe 35 PID 1652 wrote to memory of 2896 1652 iexplore.exe 35 PID 1652 wrote to memory of 2896 1652 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD563ca0ab15d7ea34c4f99e032d8706746
SHA1d8e10c06cd26e3970f9a7241987aeb5549592cc4
SHA25620486236cfbbd8eb24d91063b9725e0bfd1b716b13aa6269753204c88157d25b
SHA51293057e090424726ae3ddb8df53c95184959604e624eb6351bd8c1b0d0eb8ac74adbb6ac2bcce619b9ddb47115fe4f1d265b120c5fb7b3a58717006ccbfa85bf3
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD517437799ab12e22315ec35f55ce1ad89
SHA1e7b9977498dfa435590fa516bace0fb8ddfb1650
SHA256772261f9651a74d3f13d0a334caa62d97a18a8468ef5ff7e31dd02e022c0103d
SHA512f6c427a102d45fc0ea0f3a5215caaadf06103cc576a4e6b94bed759f084057325f0e4cc844c3a9faabb2a1478f8c59fe604e1061081023ba8991e5a82fb08647
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b102a445c174c2a795fde8d23dbebe97
SHA1423f3d0f8010c4c477bc41a2c01379b45ca25b49
SHA2569d218c3f41e5c05d13cbb5860a2fe6a155d88bd4bf79d910462b27716b4879ba
SHA5127768da2922896093e5a0a4638f801e3fc213eb2dfb6fdfc4ccbd30faed33c6520b315ae3f8ca66878cdde09e933b6c66ea81bd3b147b3baec7f46198a2860c6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e75a65d01beb278fcd5721af702b631f
SHA166b0bbde6aa9c3164ba8519914e6d36939921143
SHA25694d85dd3d94201df2dcbf411efe649be6bdb0e0acf1fb619c082381775f3f797
SHA51220010ac49ccfd127f3cee51d59e029717917e71250b1b73af27719fe2499aefa15949830a723db14208ca236644db47212504e39657f39e813ce95c9efabd2cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d6cb97d1742100c8196d3d5d169a623a
SHA171bd76724cf73176e137ecd276583019eeeb9bdc
SHA25674141587ded23236472608661ef54eb96ba06564078c4322f9a0aebd9001ba63
SHA51257e1f20b71dfea2c51e7c059a3517b398c1a23efc36bc865eabaf4683e53858086e160afaf4a8b4981e5373e67c5b509c5b48bee73b8633f7e032ad3d0093d40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53224f1ef09666cbeb374810da5746a38
SHA182d11b6d1f493b59bfa52d6344db71bceb5e3172
SHA256bcd519d35f66998b143329e61396d47ba11d3b9413a8f9ec769e5d1c53c7df0e
SHA5129eb6a01d9630bd7d169e3ac3a34bec9aaec2b811c8fdbfd1db38cdb0af7578183b44fc9f01d563be6b461290276d13dbefb5070cab2a1cbcbf378b8bad85ea2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD586efc81b5ec0eb162fbecdcc742da619
SHA1c659a633803afdfa5f187045670e9a6bb3e7b825
SHA25690c76ed74fef5d0d58f11f587cee9d55f575f2dc12a87ce5fc5cfd94bd591f67
SHA5128144401b75bf429e2b6de9d0ce14831de426e8d7c237868969ff9880b53569bf9ec3f748cc57810805e42c38e39862426e216c905d06355dbc6d95c23de2a395
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bb954de66680166f9ae7b8170f70dc46
SHA18dd7af46ed6b44b17d7c0b69d46eeaba71a3670a
SHA256c21d9d8f90ba4983013f7c3e4af23d7d5b3c22b4693f691007faaf5ad573f5b1
SHA5122c9cea77706a7887041d41bde30ae8ee512bd877e3fdbe103d9d4c6740ad2cf0accede69cd1c33618708a56124be9fb4d629f12793da5a10dad5e70c2c3dbc94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d9ea5c3e0ef85070a0f5f34fd5262783
SHA1e6fd4cabdb659870a2d650caff8d20df34175030
SHA2561afb9a09bf0a592b805bac458ddbbd2d369e8b39b7987ccb5f2bc71b735b2c37
SHA512df454f85afec2cfcdfa8c710135ad624442ed79ae74f6dbfd23b5ffa63d98de8c6024c5cb436c4746ce45b1d6f623bc3e4713edb591bd97f2a31b8a5fb00e0b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571b70c12d674b87fb8a0d8d58aea1c77
SHA1212d23c344ce0f7c935a753d791d612b55968f81
SHA256467d11913cdb605e4595adfdb040dcdbb74154dfc1b31c53cb932504c6af9344
SHA512dd141cc249eedb430624d39fa80771a067492b401ceec6fe37537314d9a1d5c4de122773cc209bc6182c3b41718fe829a468974d02ea99f2c173048e2625b643
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54106bfbe3c7c2dbb321e8e10f3b55a96
SHA162543cca5f1a779662bcc4a010fed3bc087349e4
SHA256a74160a892bb25fbae5fdc64e5b0c845088acc39f7cc8e1381b1187134355377
SHA5125d8f64d094cd49a7e212fd12baa1bc605ca28f926aa7e1b6efcdc3bb21222708b3acf07eae1996039e7b13b83bead4ec1a8ea396f82cad54b27fd649307399e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5301bc28093c19098dcfeabb3c89412bb
SHA148dab0991014b9b853ac3ddd4d009f705b22683f
SHA2569542fa6df7473b93f072a40660c0d3af1f55df3ca0a2831a5e1d77b5373da1da
SHA5120935d90602f8c0f013d8b31a611a95a110a2e83761cea684b42fd67a6ec79d539ad6977769fefebe79567debd83128e9ae4a5064a52260634bbfe823a954bd85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57603e22879a9b434982112850b3dd384
SHA17b1754a410068373daafb1b6db7fef597c31bdbe
SHA25661bc2d064af5b662306fa14268c2171b2570bc5a135b838eacdfb49bc41a3204
SHA5120a45f911f275befd9b35210843ad7c13c08f3e332b1bcdfe8525baa83ccf840df757e71e4a9d4f59f4a1fd79cb10c55db42dc624b9780ec661c839978bcc4e6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5775773c7442d244118f244d9ffcd3f25
SHA1ab7f5ab16e9a4c756282740f68af861574ee4d4f
SHA256fd71f44440c8e5a4102de85fb8f6ece5f5e9469b7231e55b1db6cdb7d5baafbf
SHA512178b31dc4ebc74768d23c04c11af9fe87f6f6e431e057d16740d4f45ca126e9f4c05d92e494017b783a7e48186c2a9e2393e5c02fa1ca23c274c6671567decdc
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63