chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
26s
max time network
26s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HawkEye(2).exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2224-2-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (1998) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	HawkEye(2).exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg	HawkEye(2).exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	HawkEye(2).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	HawkEye(2).exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignright.gif	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png	HawkEye(2).exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	HawkEye(2).exe
File opened for modification	C:\Program Files\EnableRemove.rar	HawkEye(2).exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	HawkEye(2).exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png	HawkEye(2).exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	HawkEye(2).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	HawkEye(2).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer	HawkEye(2).exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js	HawkEye(2).exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D55578F1-E388-11EE-8303-EAAAC4CFEF2E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2968	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2968	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	HawkEye(2).exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
1508	iexplore.exe
2968	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe
2968	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2232	xpsrchvw.exe
2232	xpsrchvw.exe
2232	xpsrchvw.exe
2232	xpsrchvw.exe
2968	vlc.exe
1508	iexplore.exe
1508	iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1508	2224	HawkEye(2).exe	33
PID 2224 wrote to memory of 1508	2224	HawkEye(2).exe	33
PID 2224 wrote to memory of 1508	2224	HawkEye(2).exe	33
PID 2224 wrote to memory of 1508	2224	HawkEye(2).exe	33
PID 1508 wrote to memory of 3012	1508	iexplore.exe	34
PID 1508 wrote to memory of 3012	1508	iexplore.exe	34
PID 1508 wrote to memory of 3012	1508	iexplore.exe	34
PID 1508 wrote to memory of 3012	1508	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\HawkEye(2).exe
"C:\Users\Admin\AppData\Local\Temp\HawkEye(2).exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3012

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\SwitchLimit.xps"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UninstallRequest.mpeg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
c51b474758b95f2b9b9f45501598caf7

SHA1
245e047b5021f1cb2cd4cd4828b254f171f7c5bc

SHA256
e806e3a3f0d58ddab8de908f4407e82df42d75ac880c11455cdea45d7d0dcd2a

SHA512
cbfa7873788a3571afe12d7b43aa8c3047d4a7b1210dd4e803c636c99b618c925b0ec295ff036b75effaab0f3a53f9050d53c770d2ca7928ce864cceadfcab27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C15.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DC1.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2224-4260-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/2224-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2224-10-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/2224-9-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/2224-8-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2224-3577-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-0-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-4263-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/2224-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-3-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/2232-2703-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2968-4313-0x000000013F210000-0x000000013F308000-memory.dmp

Filesize
992KB

Download
memory/2968-4314-0x000007FEF64E0000-0x000007FEF6514000-memory.dmp

Filesize
208KB

Download
memory/2968-4315-0x000007FEF5D10000-0x000007FEF5FC4000-memory.dmp

Filesize
2.7MB

Download
memory/2968-4319-0x000007FEEC6D0000-0x000007FEED77B000-memory.dmp

Filesize
16.7MB

Download
memory/2968-4320-0x000007FEEBE00000-0x000007FEEBF12000-memory.dmp

Filesize
1.1MB

Download