hawkeye | 757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c

Analysis

max time kernel
93s
max time network
98s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
Size

1.2MB
MD5

396e7c70e5f68c938644adaa74095206
SHA1

061ea1ea2827c889ff11b9898af442c8319fffbf
SHA256

757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c
SHA512

f7c896b5b8bf809f2d94eda30248e40098befb70954bf8a0eb99a0de787039139984e0be08a50c4bf49921e0478311bcdf6883e5f532dc33b046cd50fede760b
SSDEEP

24576:yhntGx9yVf41ob4s6ABttGZOATIZXTnR1a34:2tGZ1oEEbG8xXja34

Score

10^/10

hawkeye collection discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Detected Nirsoft tools 12 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1136-206-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/1136-208-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/1136-207-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/1136-218-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/1136-215-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/1136-211-0x0000000000270000-0x00000000002F4000-memory.dmp	Nirsoft
behavioral1/memory/3036-265-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/3036-266-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/3036-268-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2720-269-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2720-270-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2720-275-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1136-206-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/1136-208-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/1136-207-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/1136-218-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/1136-215-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/1136-211-0x0000000000270000-0x00000000002F4000-memory.dmp	MailPassView
behavioral1/memory/3036-265-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/3036-266-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/3036-268-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 9 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1136-206-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1136-208-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1136-207-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1136-218-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1136-215-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/1136-211-0x0000000000270000-0x00000000002F4000-memory.dmp	WebBrowserPassView
behavioral1/memory/2720-269-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2720-270-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2720-275-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

pid	Process
2664	magert.exe
1136	magert.exe

Loads dropped DLL 1 IoCs

pid	Process
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Music\\magert.exe"	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	whatismyipaddress.com
16	whatismyipaddress.com
17	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 1136	2664	magert.exe	31
PID 1136 set thread context of 3036	1136	magert.exe	33
PID 1136 set thread context of 2720	1136	magert.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	magert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	magert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
2664	magert.exe
2664	magert.exe
2664	magert.exe
2664	magert.exe
2664	magert.exe
2664	magert.exe
2720	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
Token: SeDebugPrivilege	2664	magert.exe
Token: SeDebugPrivilege	1136	magert.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1136	magert.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2664	1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe	30
PID 1660 wrote to memory of 2664	1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe	30
PID 1660 wrote to memory of 2664	1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe	30
PID 1660 wrote to memory of 2664	1660	757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe	30
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 2664 wrote to memory of 1136	2664	magert.exe	31
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 3036	1136	magert.exe	33
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34
PID 1136 wrote to memory of 2720	1136	magert.exe	34

C:\Users\Admin\AppData\Local\Temp\757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe
"C:\Users\Admin\AppData\Local\Temp\757302d6d87700d81bfc5c0f6db47b6982aa1b618c8ec5dfcc6bfccc6dac847c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\Music\magert.exe
  "C:\Users\Admin\Music\magert.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\Music\magert.exe
    "C:\Users\Admin\Music\magert.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd88a112e3382eebd2689571b2df081a

SHA1
3f808353f1e73488f9640fc1dfdda83c7c328b1c

SHA256
704b75028671c5fb6649d59520ad6249a218f00ffc506f342c87995231563b54

SHA512
8e69cfd65e3fa316c0c4b05bc9d4d8a1bac68986914947d7fcf2489a2bb49f574dc256d7fbccaedbc97a88965f7a69bad21a6bab6a6a39d1a5f415c09b45bb7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
479c16998b5993198995815f40aade11

SHA1
8fc720768bd86918db90fa4149e21bf0444d74d2

SHA256
39c978313c42dc3a507b1ba922c4f198550ebc5712680b4d481264eed45c52fa

SHA512
deab0ce205a37f34bdf9ee1ae0c0bc7510ae6f64145a3f8c7d82a7e27260c55c7ad035f4f1ba861664ec3205e352bd45e1c7c5119ba32f35787373bc74e35651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc87476843f61624e4cd219e817ac862

SHA1
c1dc45c0244022a10c920a7a6b9884d63c65c14f

SHA256
27ec6ebae78180d175099ebc67bd5836e4baa1fd60372ca38628bc041839692d

SHA512
71e0f4b34c375f18b08876e6537ad964d96d395f8d48e4dc709893967535d9c32ec81110c602316ef4aa33f451f104c86aa75c18d1b584fa8c535e3fb6588a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fb52674dec2db117951af9b2f64b3d21

SHA1
bc6a9291e030f94867cf6d94a72facbbf23a3cf3

SHA256
9b000639f55fb946b2b10f94cf34542f97b9485fac3e05153d46690c671854ae

SHA512
6863beebf140872823019f41a62bc34e515c527ec0bfe732c98f65172971a2f6fc9df1a3b776277a6ec1d098217263eb569c46b67945b2e7d9b5c4b3fe0a3ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA9D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Music\magert.exe

Filesize
1.2MB

MD5
02ef9f2b48258d9ab11e92f9737d0770

SHA1
acc45618394239d42ee5835c651eb305ee335e16

SHA256
691dc3945c009f254f9d4c1ec8148c2961f127614ca5a31fd59ff32de305c9e1

SHA512
a54b99d977e6b257a8d1149ef2b77d9fc7f77a8694c7b9344158fe1135a1c3d9abe62e342312136d93d076be7c3b96657ee2c8864042c6467a69533a7485c7b8

Download Submit
memory/1136-211-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1136-215-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1136-218-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1136-207-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1136-206-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1136-208-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/1660-173-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-171-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-1-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-2-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-191-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp

Filesize
4KB

Download
memory/1660-172-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-219-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-204-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-192-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-193-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-269-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2720-270-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2720-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3036-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download