hawkeye | 569dc2277adbe54eec16c9b9c6ee38ae4eba2e7c3498d84a37a9348452671f39

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

postalesmp4.exe
Size

182KB
MD5

0091d020743c4cbea4251fda7a9e1c2a
SHA1

46b23cede43d4de1a4ea8b544821ca84d64266c8
SHA256

d6a07c7c72f838bf598f6f80ed24bd9a84035abc58dc92dea2844786dcaea3c1
SHA512

4a827fdca6e855aca9b380146284d4f74f073c0882fcf0dd36f9b23fd900490bf5da5c5d8d1c8c8c7f0ceac972d125ca1c419d9b075f37de296faf2f5773ac2c
SSDEEP

3072:LcPGMaCGKc2iX7RlK7p0UG5nt526s9xB4Ln9fSKDcSCQ51Y4Uo7j9zc8ql+A1:wP1aXbX7Rip0ZCrB4Ln9GQDYxot4l

Score

10^/10

hawkeye discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ntvdmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	postalesmp4.exe

Deletes itself 1 IoCs

pid	Process
2860	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\© Microsoft Real Time Media Stack = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\ntvdmd.exe"	ntvdmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 4404	2860	explorer.exe	88
PID 5016 set thread context of 4688	5016	UccApi.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
376	4404	WerFault.exe	88
4776	4688	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postalesmp4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntvdmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UccApi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe
1712	ntvdmd.exe
5016	UccApi.exe
2860	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	postalesmp4.exe
Token: SeDebugPrivilege	2860	explorer.exe
Token: SeDebugPrivilege	1712	ntvdmd.exe
Token: SeDebugPrivilege	5016	UccApi.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2860	936	postalesmp4.exe	87
PID 936 wrote to memory of 2860	936	postalesmp4.exe	87
PID 936 wrote to memory of 2860	936	postalesmp4.exe	87
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 4404	2860	explorer.exe	88
PID 2860 wrote to memory of 1712	2860	explorer.exe	92
PID 2860 wrote to memory of 1712	2860	explorer.exe	92
PID 2860 wrote to memory of 1712	2860	explorer.exe	92
PID 1712 wrote to memory of 5016	1712	ntvdmd.exe	93
PID 1712 wrote to memory of 5016	1712	ntvdmd.exe	93
PID 1712 wrote to memory of 5016	1712	ntvdmd.exe	93
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94
PID 5016 wrote to memory of 4688	5016	UccApi.exe	94

C:\Users\Admin\AppData\Local\Temp\postalesmp4.exe
"C:\Users\Admin\AppData\Local\Temp\postalesmp4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 504
      4⤵
      Program crash
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe
    "C:\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe
      "C:\Users\Admin\AppData\Local\Temp\System\UccApi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        
        PID:4688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 504
        6⤵
        Program crash
        
        PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4688 -ip 4688
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
49B

MD5
40717b34e60426d24511a3e3fb2e4ef4

SHA1
2336370e49fda264db8c1d5ca2617a764a018db4

SHA256
4859d840b6a00fdf5b2797b7a01832adbe2075c64b28111114b1652660fea4ca

SHA512
6227f0827f9d78da764f5e8b149ec674cb605c6954b85743245b57b57688936a1e2948efd65bf93eb661dbbbd24a8536a26f6cc8e29e55efb8ac10c1c91eeba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\ntvdmd.exe

Filesize
47KB

MD5
03c886af821f78c72b9f31a5ee9523bf

SHA1
00eb6757b298c1dbfd815672c4d66d88078f489f

SHA256
225e869ca14f2ce166871f218c9ff7161ebd25b8ea521a563194d40729318247

SHA512
d6d915b160019545ad77f62bf8aa25945fb142c105c2a0535c34139f83f2874412706d6be2e6d982a0a8f54caba2e4debf4446ede134c6c766510dbe942377f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
182KB

MD5
0091d020743c4cbea4251fda7a9e1c2a

SHA1
46b23cede43d4de1a4ea8b544821ca84d64266c8

SHA256
d6a07c7c72f838bf598f6f80ed24bd9a84035abc58dc92dea2844786dcaea3c1

SHA512
4a827fdca6e855aca9b380146284d4f74f073c0882fcf0dd36f9b23fd900490bf5da5c5d8d1c8c8c7f0ceac972d125ca1c419d9b075f37de296faf2f5773ac2c

Download Submit
memory/936-1-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/936-2-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/936-0-0x0000000075562000-0x0000000075563000-memory.dmp

Filesize
4KB

Download
memory/936-14-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/1712-35-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/1712-44-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2860-16-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2860-13-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2860-15-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2860-42-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2860-43-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4404-22-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4404-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download