Analysis
-
max time kernel
47s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
HawkEye.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
HawkEye.exe
Resource
win10v2004-20240709-en
General
-
Target
HawkEye.exe
-
Size
232KB
-
MD5
60fabd1a2509b59831876d5e2aa71a6b
-
SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa
-
SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
-
SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
SSDEEP
3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Purble Place\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe 4 bot.whatismyipaddress.com Process not Found File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Chess\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/2532-3-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Renames multiple (2002) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini HawkEye.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif HawkEye.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png HawkEye.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js HawkEye.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E77D521-404D-11EF-93D0-F6C828CC4EA3} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 HawkEye.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 344 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 344 iexplore.exe 344 iexplore.exe 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 344 2532 HawkEye.exe 34 PID 2532 wrote to memory of 344 2532 HawkEye.exe 34 PID 2532 wrote to memory of 344 2532 HawkEye.exe 34 PID 2532 wrote to memory of 344 2532 HawkEye.exe 34 PID 344 wrote to memory of 1728 344 iexplore.exe 35 PID 344 wrote to memory of 1728 344 iexplore.exe 35 PID 344 wrote to memory of 1728 344 iexplore.exe 35 PID 344 wrote to memory of 1728 344 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD550dca0fff0245ce7d01cdc0b6e246295
SHA1e86a53db81891ae031d35a5f9ceb4f8df3056d09
SHA2562fae793791bdd79c3eb5741cfe61ab9b54dbf187aec1c558c221b34aee5ba911
SHA512a9412894ba3e102fdcb3df5aabc687aa268075a0406b54e6344ce3971436f6ed3bf61ea0817813c3076e00a41e92a3f8d63136bc5d154d0d66d0730db963ea38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586e5500d2d2fa8cd09ff65d305befd9c
SHA147a0941f6a97f8605dd54785500c6fcb24146558
SHA25624f5a698fdab26b2ae376003c072b94b4fb9b773d93e47a3f7aa1f2c7e8e462d
SHA512f09f0ccdb0f14899dbdbdec534657b8bd24385828787ed4ad5f364c2cdd279e6eb1e5499faf38cd93e9901b3611c514d05a836d6436049f0514576fa9b80fd7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0076b68121a1bb5ded617593b07fce0
SHA16f59829c0734249b16cb040990dcc4a85d1019fb
SHA256d2fde5b8e1a7b0c0efd69199374d8fbeea22089b05ad5ef7923ca07b3f012c65
SHA512ad63c25c123971aba5ee846d338bc71c49d450b5e15662a09f810478bfa4da71b963ac1fe2f8eeb801aa7fb984c545bdecf94d6116e08e78ba54a39c0ae6eb18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd5b2bcff6c3eda3eab43b59efa0c7e4
SHA16faf0877dee07a7faf46cb556445fd3f8665f312
SHA2566f19f0a821fc07723afafad8ec48a354ee52a11bf09b0b6bc5c6a234f737a762
SHA51208c48678e4049a40c3fe8388316cab4c27275672b419fa04a526c046aeab2fffe759f5e9405bbeadcd254c062d59ef76f04d33544b5e1ee653a03e2f81673d9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fc51a10e63cc182e9fe03571f8cb6e0
SHA1270953beeb8d1ebc426c8c7e5738c76558452134
SHA25635889c837466822da18fadbcfecf5bc2ac43246da7e0bbacf198584d8c5b7ef0
SHA51238d663fee778b16a84a58fd45f0b999df28bc5b9c366b38ae67ec0a5f0f1cc5381f33203b9b9c9e388eb7547f447e2b83298d614e35daaff0302c94795c6b914
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54144fb1d9a78cec29ed44a7760b28ebb
SHA1e02f5e8f4c4b6da584f69ada3c993b42a5b64bb9
SHA25674b1bbcf668a766ee62e32fa12e7825a187b5757222536f91e902826b236fe74
SHA51236d4daada29e1423305f37641aca8b762ef8e2b8d966f42519c1a78bf5c2e7fadd3b7f2accd29fcce6fd13e938fa4de4ce5e18a17cc7a667905c50546b9a47ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc4a3b187f0aa182a0fcba1ffbf6c71e
SHA1173f0dfb8aae98d4160c133bad9b46b88ec4cb8a
SHA2569c1506a9973cbb2c597301f8326a72c0bb95c96aadd17e4ba7bb0fd754d5de49
SHA51215b23ffba6244669800a1603973b35a665c8adf6bee5a9a3edb0799281a2e5f4e4afe10bd8083a359adb87de27a20806f115b81a15febd40729588b432904590
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af0111195bc8cfb25b34a11280daeb1a
SHA1b29d9160a6f35ed42255a6977f065aebe6c684c2
SHA2562a2e8496ef9f1432bab7ca1c33578983ec8e34c3dbdb652362d3a29f9e303b5a
SHA51237d781fd7f06abede43c4393ccd5889775e9facc7866cc879d01c35ab82e0cadddf2bcbae9be816e0df1f6325f7b5dfbd1c4764d16395a72d6d9b6b667e51269
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fe059f40cf04161604d406956076446
SHA1084de76a205a8ef2e12a5600a80a4e07a2977bb7
SHA2568ece175fd26c9ffe1379b4721b1575f289ffb41429b638006bc4a67ae0e3540a
SHA5127dc5985b1e2d027e23ab7cb1fa54abc0bdb723e3405dd77603c568a8a9f8199e925efb3dd53cb7188f5a0ac4afa1eb105f7880ac13e1bca0ae5da7731d54e1e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51afb41e5c25195ce7a8a1bf9c834be07
SHA1d93d7f4dfd96434dda582cca054e4a50d9ee12c4
SHA2569dcf14133dcca80b8e0d9d1c8aec099308c4fb3f613953b452e49be95c3f2e82
SHA51242a6ba037aed64747ddecb3ec2cd5c351ab050fbb67c6a35331a9f9fb40f5d60c26bc53cfc3b2447a68a60c2f35e0ece8204d3f04dcaff87d351e0f6e5e18567
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b