hawkeye | f621a1b20e621f90f289b2652beb0117b965393665932a1a33b73541350ab708

General

Target

Specification and shematic Diagram.exe
Size

1.4MB
MD5

6d8d586a1feda0d474f0d3c6efbdd706
SHA1

a66fc9adce64f992d7a0093d8e8c78b647ac2220
SHA256

d69d517b51057301a5b0e44b6ecd8dceb2c6e9f6ba9db39a002d9078169d69d5
SHA512

8de88c81690c38e3af5fdbecc53dc9aa042ad38f7bf60c2d7c3906e98210bf5c1a954aca861175e78fe12db4909fc16cc9f54cb33b6923c9b57975b6bf5d8829
SSDEEP

24576:eUfUDtdfFQ0QPEhyxv4+gR9P+S2f8dQWdY7Dx1EAhd:eaUujPKy5q9+SvQWO7wA

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2668-20-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	MailPassView
behavioral1/memory/2668-21-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	MailPassView
behavioral1/memory/2668-19-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	MailPassView
behavioral1/memory/2668-23-0x0000000000AE0000-0x0000000000B68000-memory.dmp	MailPassView
behavioral1/memory/1196-27-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1196-30-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1196-28-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1196-31-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2668-20-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	WebBrowserPassView
behavioral1/memory/2668-21-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	WebBrowserPassView
behavioral1/memory/2668-19-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	WebBrowserPassView
behavioral1/memory/2668-23-0x0000000000AE0000-0x0000000000B68000-memory.dmp	WebBrowserPassView
behavioral1/memory/2808-35-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2808-33-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2808-32-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2808-38-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-20-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	Nirsoft
behavioral1/memory/2668-21-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	Nirsoft
behavioral1/memory/2668-19-0x0000000000AE0000-0x0000000001AE0000-memory.dmp	Nirsoft
behavioral1/memory/2668-23-0x0000000000AE0000-0x0000000000B68000-memory.dmp	Nirsoft
behavioral1/memory/1196-27-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1196-30-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1196-28-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1196-31-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2808-35-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2808-33-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2808-32-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2808-38-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

wgfpulfx.exe

pid process

3016 wgfpulfx.exe
Loads dropped DLL 2 IoCs

Processes:

Specification and shematic Diagram.exewgfpulfx.exe

pid process

2872 Specification and shematic Diagram.exe
3016 wgfpulfx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3016	wgfpulfx.exe

pid	process
2872	Specification and shematic Diagram.exe
3016	wgfpulfx.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Specification and shematic Diagram.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Specification and shematic Diagram.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
4 whatismyipaddress.com

flow	ioc
6	whatismyipaddress.com
4	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

wgfpulfx.exeRegSvcs.exe

description	pid	process	target process
PID 3016 set thread context of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 2668 set thread context of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 set thread context of 2808	2668	RegSvcs.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

wgfpulfx.exeRegSvcs.exe

pid process

3016 wgfpulfx.exe
3016 wgfpulfx.exe
3016 wgfpulfx.exe
2668 RegSvcs.exe
2668 RegSvcs.exe
2668 RegSvcs.exe
2668 RegSvcs.exe
2668 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wgfpulfx.exeRegSvcs.exe

description pid process

Token: 33 3016 wgfpulfx.exe
Token: SeIncBasePriorityPrivilege 3016 wgfpulfx.exe
Token: SeDebugPrivilege 2668 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2668 RegSvcs.exe

pid	process
2472	schtasks.exe

pid	process
3016	wgfpulfx.exe
3016	wgfpulfx.exe
3016	wgfpulfx.exe
2668	RegSvcs.exe
2668	RegSvcs.exe
2668	RegSvcs.exe
2668	RegSvcs.exe
2668	RegSvcs.exe

description	pid	process
Token: 33	3016	wgfpulfx.exe
Token: SeIncBasePriorityPrivilege	3016	wgfpulfx.exe
Token: SeDebugPrivilege	2668	RegSvcs.exe

pid	process
2668	RegSvcs.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Specification and shematic Diagram.exewgfpulfx.execmd.exeRegSvcs.exe

description	pid	process	target process
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 2872 wrote to memory of 3016	2872	Specification and shematic Diagram.exe	wgfpulfx.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 3016 wrote to memory of 2652	3016	wgfpulfx.exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 2652 wrote to memory of 2472	2652	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 3016 wrote to memory of 2668	3016	wgfpulfx.exe	RegSvcs.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 1196	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe
PID 2668 wrote to memory of 2808	2668	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe
"C:\Users\Admin\AppData\Local\Temp\Specification and shematic Diagram.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe crocyb.ntu
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 5 /tn hzdhlig /tr "C:\Users\Admin\hzdhlig\wgfpulfx.exe C:\Users\Admin\hzdhlig\crocyb.ntu"
4⤵
- Creates scheduled task(s)
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
0
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Accesses Microsoft Outlook accounts
PID:1196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qwcfi.wyz
Filesize
520KB

MD5
139eac7d626feb59f0c7da60ac4060a3

SHA1
1227f2eccbc39c372e860702b2dbade6ed4ec3a5

SHA256
7cfac465123c728deea11614fde04e28713dd214ffb8ec2c06e24463693f9bb6

SHA512
a5e440c6bbc5e1ab536ac84b47a977054e65e3f5df5262abd046057e6b838cd314d7e2b5f4cc20695dbfb3e4a9141e7be9c6f1785fc52eed20037da807353312

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wgfpulfx.exe
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
memory/1196-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-20-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

Filesize
16.0MB

Download
memory/2668-23-0x0000000000AE0000-0x0000000000B68000-memory.dmp

Filesize
544KB

Download
memory/2668-26-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2668-19-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

Filesize
16.0MB

Download
memory/2668-21-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

Filesize
16.0MB

Download
memory/2668-16-0x0000000000AE0000-0x0000000001AE0000-memory.dmp

Filesize
16.0MB

Download
memory/2668-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2808-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2808-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2808-38-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-22-0x0000000000E60000-0x0000000000F4B000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads