Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
04/08/2024, 23:52
Static task
static1
Behavioral task
behavioral1
Sample
HawkEye.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
HawkEye.exe
Resource
win10v2004-20240802-en
General
-
Target
HawkEye.exe
-
Size
232KB
-
MD5
60fabd1a2509b59831876d5e2aa71a6b
-
SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa
-
SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
-
SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
SSDEEP
3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe 4 bot.whatismyipaddress.com Process not Found File created C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Hearts\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/2384-3-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Renames multiple (2010) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar HawkEye.exe File opened for modification C:\Program Files\Java\jre7\lib\javaws.jar HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png HawkEye.exe File opened for modification C:\Program Files\WriteMeasure.odt HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png HawkEye.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f3d470c9e6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A13D901-52BC-11EF-971E-EA452A02DA21} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000005a9e41965964a657dca63bf365e9ffbe08d0c8bd997c9a18380d5b45b145bcb0000000000e8000000002000020000000a969f937a528021a532766075c2132d7089e97c92b299708a1579bcda785862d900000009e76b23368b0f6f9494341793a66ebf65edf90eee330790730d8b35680db1120dd43d9c9d9081d1db0303be6733cfcd62667677d8eb742de38475d927510b4357be30bc1af4ea5e4bd86b53b42d36dc3509a5331de66d32e671a7599f15112b80993393c12a5cbf976fd262af80af3e0ac553ce57f1cf192eb18d06b4f4182824ce67520a8b7f9d40e6401c14513c92a4000000022ad5a50fa0706fa9a7a9c33ce309fcefb05e64d70c4c0dd2272f2eda0b81d9f5f065416311b26ade453cdc2b912a63250275f2e43975be41735b18e667517c4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000bca7266c997fce238ce7915618500420467eafcddbfcb83c5edc47a0d7e8017e000000000e8000000002000020000000e47c4e837387ce33bb7219b6eee4a680ddbd920edc11a5eb9d0f794150b2304120000000054b01391a1cd6c50392257f3c7bbb0c23917b1779d36bdaef3814e944558a0340000000fac6e0d16fb120b7c01a0acbea2e73530ae96df4ffb67953187c7f39f028801d7837cf6c650cfb51d3dbda8659c247823d474f8e739d1ea5c9bec3354aaf5362 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 HawkEye.exe Token: SeDebugPrivilege 2888 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2920 iexplore.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2920 iexplore.exe 2920 iexplore.exe 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2920 2384 HawkEye.exe 34 PID 2384 wrote to memory of 2920 2384 HawkEye.exe 34 PID 2384 wrote to memory of 2920 2384 HawkEye.exe 34 PID 2384 wrote to memory of 2920 2384 HawkEye.exe 34 PID 2920 wrote to memory of 2324 2920 iexplore.exe 35 PID 2920 wrote to memory of 2324 2920 iexplore.exe 35 PID 2920 wrote to memory of 2324 2920 iexplore.exe 35 PID 2920 wrote to memory of 2324 2920 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5828a4a064cbbeb2dad43b6060c633ec4
SHA1d60d1c96732d63317900eafcb8807c5d2143ad9d
SHA256cb2d1c9f544a429c8deda89dc23e4978a065d2e7fdd92c03b5331f6fa0d3ef2b
SHA51245c9a2f9686aa40b5eba940fe258864e5999fedc15109295c0f4fca1fd600d545b136a07e363ef22549b55405b0dc94a32ae724a9a3e89df743306a400977880
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0c4c61a2f6032c926fe9ed7e3590c67
SHA13cb1972adf1be9a4e7b832e0bef523b40b74aff3
SHA2564a442f9fce86dcc8e9d820fd26ac8f480c49c02f1c7caa6327112d681c6dba2e
SHA5129d9ffd90e2d086b750b123857ba9e3dfd8d3ac67046186646d14aded1506f9d37d6e4f3ba078ab559e7292a10c97d917928144dd56b20aca76afd836a8ecb118
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506a900b69b95bf8871008343cdc40b15
SHA1320009fdf44520365e3505db50579a3e3babe643
SHA256e55dfe6b8521cc7f8c06a8736f186fed079eea457714ed0e588abf3e13889b70
SHA51267f93f8d99c51c87eae4e394bd7e5ac7835e44a53af4f66738164855c391bec122a6839952b9ed26194081f04d6b096054242cb670c2f342aa5ecd3f60682c7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569cbbab1556109061ba81a18d55b04ff
SHA128ce10b60a58ff5afa5514c32b7339ffa5b20a27
SHA2562a2857dec44ea7ee7ba9118528e70eae29f66f83dbf83634b5c769f9f0cc41e4
SHA512ea94703adf9b0eb999a8a49b643e086c5be1c1092cdbcf6b8c6f1208a7a2c8e4d051a6d5f02cc3fb1e6a559842d0ae0025c394880ccf7f4745e755889c223079
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b94c99232139611856472cc5dd9a8be6
SHA150b55a9a6949d4f9e24aa9068951fb593690d2d3
SHA25648f5c6fe54341d8ca298d55d4ea0cefea14b776d5ffe57d14c71ae9e8b7bc678
SHA512f520c4372f0017958862a50851f8739d2a92523cfce629196bccdc8245e562f24dd8ef550f4111e07d1262d04fa92eb74e7bda54bf7758a1840629b10f2e2511
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7565a0ab8fe84f76e1adcc9430f501b
SHA1449fdd559dd15941e4c0975db0db361066822689
SHA2569d465041fe5056019e67c16c0d61cc1cda55b541f9e705e9fb6feea6d53cede2
SHA512eeb3b0f33e5827054394cc1e6d0ff6ade3b427d26225c5dccd709103b19b60e890363d5f8b6654aa789e44e5b960fe303bffae161acb465a06a247de05288d86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b6ef54c9681aa3b1b79b43f113ddc05
SHA101daa81f062f6e008a8ea82ae6c2a67724bf098f
SHA25621033a6a86a4437e24ba167c846355f2107990ed62f5cba0e44a600b5988e67a
SHA512dbd9f3d4430e5a420e102abeedadc669571550f7c0ae3c5a5bcf173f4ba4b0e06669025d9b4f251c6a1e4fe08a810233900ba13473a9a847ebea1bd88be80cdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b57a79b61e09e979c3f67836b4c631b
SHA100908a8e419fab632726f35490e3a13cef4d72fb
SHA256f1e22c9b9794373f210295a4e0fe2c6f47ff87e32f126637e1c2f9cfa8bce8fc
SHA5120a93e1cbac238b2dd49b6ced9d2ab3f5b69e898e3635bf017c2d0576c116a41be9b8af421a6875c0583a9a90fefd8edd5625b29873a505010878ed9d86361d57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b3a33ff970491f3f9267a39b63c05fa
SHA167e8d738ff34854d0831242655072db44d192522
SHA2569795b8ea16552461df37bf508773cccc860cb48902dcdb4d296210c2d5159cd9
SHA5120121784f90d5496fdb7c9548afbc64274dd44bff3cfc1dd1cc152ec0564bed696aadcccfef8eb2cfc0183e81d71348ba6b95aec8494ab5e962db02d80332c971
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e81e941531cdb3b3d6a118737b091d53
SHA1b728843460ee0b50867d1a9dd1afc17e664bde0e
SHA25620816b973e5c1715354c785b48ef48d4b7ab9ba5a587f4e5b15253a6243fb3d0
SHA512333c252316b7d23a14545d8145b4657b7cd63803e6aa649ff192b8c7f495ecf34a92c4f443bed40864d594ac0c248774a5ea24fc0c0be6b5f0eae1247305691f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508732f1d9fc9258e9409df5af863cf76
SHA13b43ca47b16c892d0e509268382a630cf415adaf
SHA256b8f5924c20143f506586ab6c6f96646fde3fb7c821e88165b6dbfa8b604a0905
SHA512f66dd920104e9111f2dcf93212b85afba05c8bda636ad16a5549cc43d5c4c5a460340cd222b4d5c2f62ecbcea786d76775682d18a4359916ab337a9f981577d5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b