hawkeye | b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc

General

Target

XRCleaner2.exe
Size

56KB
MD5

9bc57b0a4b416e360a8e20ed5dda6cd0
SHA1

7246f4cdcb19afa4de09a36972492aa067daac51
SHA256

b819fd21177ac66b9c645dcc82572b3eb774a14598dac95621edb06fb5e411fc
SHA512

dd306cd30727911a7c2335945721a85e8b65ece05efe3dd63e0fcb7b05033647fc881f0b78b8b6ac107ddf4f079107d51f835f5469fe4f3d6e787c620ff2fe82
SSDEEP

1536:2Nltt4OCTcQLe6WskbSjJ6EoBs2vWywOvu:2NltCTcQLepskbSjToIOvu

Score

10^/10

hawkeye xworm discovery execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

join-ez.gl.at.ply.gg:55

Attributes

Install_directory
%AppData%
install_file
WindowsUpdate.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4208-1-0x0000000000CD0000-0x0000000000CE4000-memory.dmp	family_xworm

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

Processes:

XRCleaner2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	XRCleaner2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	XRCleaner2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

468 740 WerFault.exe wmplayer.exe

pid	pid_target	process	target process
468	740	WerFault.exe	wmplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XRCleaner2.exeXRCleaner2.exewmplayer.exeunregmp2.exe

description	pid	process
Token: SeDebugPrivilege	4208	XRCleaner2.exe
Token: SeDebugPrivilege	2852	XRCleaner2.exe
Token: SeShutdownPrivilege	740	wmplayer.exe
Token: SeCreatePagefilePrivilege	740	wmplayer.exe
Token: SeShutdownPrivilege	3752	unregmp2.exe
Token: SeCreatePagefilePrivilege	3752	unregmp2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmplayer.exe

pid process

740 wmplayer.exe

pid	process
740	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 740 wrote to memory of 1500	740	wmplayer.exe	unregmp2.exe
PID 740 wrote to memory of 1500	740	wmplayer.exe	unregmp2.exe
PID 740 wrote to memory of 1500	740	wmplayer.exe	unregmp2.exe
PID 1500 wrote to memory of 3752	1500	unregmp2.exe	unregmp2.exe
PID 1500 wrote to memory of 3752	1500	unregmp2.exe	unregmp2.exe

C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe
"C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe
"C:\Users\Admin\AppData\Local\Temp\XRCleaner2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 2932
  2⤵
  - Program crash
  PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 740 -ip 740
1⤵
PID:1116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RestartPublish.js"
1⤵
PID:1392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SelectJoin.vbe"
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
62d6a3c45b9f3e975039ad72df8d1c6f

SHA1
313c8384e6429c213d336f6ad4b162932ea52137

SHA256
2acf6bdeedfed7082b44fbf81258be577750c03dbe0d250350edc973257dbab4

SHA512
c054d3c2d4d26cbdffd4e11e95c2332827754462f75ea1801b5d905848b0f14da9093abd524df999a54962835214f7e7daaac2c4b8eee1eef0d4fee391e505d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
0c368542ff20607ff6f571e8aac87fc1

SHA1
dbabe869fea1dac54e0f9a9833cc5f8845998d5a

SHA256
118f2011b2b96a38c924cb151cf9bf5949bf4b8f531a4d11f8b95782a286485f

SHA512
b8b6a8a6a7e58ecb68a2384bd5bc5cab18f4ec70af350fb35e7c6db119bc11753f0cc31b147e8c62872f318a15a54396eb6c105bb7656f629f95c41517532940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c3522974e93e0b13ed981ed988eace9d

SHA1
f71a6171628b59fa051cb2dae24920b03300000b

SHA256
a096f7760dc94d8385f8d73efe012683828a34d1615b20d2791a4ba599b9cb39

SHA512
7fd17be9fd7b961cbf3e566bd8927d7537ec3480876535a28896392f8dae40828894521e603b361b2f3c14e6e4d417ea0cf35eb4cf546f3f47a83b9dd06d2ada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
62cb9e874a4a61fbc27841591b4ba31f

SHA1
8fff59c42b9c9bc7807bdb01dc5e741a3ab52f19

SHA256
c683a6fc2e75e1585157405a509461cb0982a4bae11ee57b64cc9503451d3053

SHA512
c74f8fdea098ea8b8b9b6d6efcff72a49dbbf852aec8677745f7786674745f4c5d46e5e5a7d93f547d46bbc6aca50d9e2d75a5059475f68c793e443dd4fc3381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
0ba80421a2031ff6b0c7446783b18cdb

SHA1
3df097e7c572e58d1617ef4953948ee43f937a96

SHA256
de50f5c8aca74a7bd6c3870d8f634daace2db4469d3f02956d6f82f2612dc070

SHA512
8185e6b535ae11011d39fd935158a75619dd86c15973e6a61e33ada35129aad18a142bd7405609e7b1867d7ffe2b4f92afa1291da59f5a3f008d7bd101dd35c7

Download Submit
memory/740-52-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-55-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-58-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-57-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-49-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/740-53-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-51-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-54-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/740-56-0x000000000A1D0000-0x000000000A1E0000-memory.dmp

Filesize
64KB

Download
memory/2852-11-0x00007FFAC39D0000-0x00007FFAC4491000-memory.dmp

Filesize
10.8MB

Download
memory/2852-9-0x00007FFAC39D0000-0x00007FFAC4491000-memory.dmp

Filesize
10.8MB

Download
memory/4208-0-0x00007FFAC39D3000-0x00007FFAC39D5000-memory.dmp

Filesize
8KB

Download
memory/4208-7-0x00007FFAC39D3000-0x00007FFAC39D5000-memory.dmp

Filesize
8KB

Download
memory/4208-8-0x00007FFAC39D0000-0x00007FFAC4491000-memory.dmp

Filesize
10.8MB

Download
memory/4208-6-0x00007FFAC39D0000-0x00007FFAC4491000-memory.dmp

Filesize
10.8MB

Download
memory/4208-1-0x0000000000CD0000-0x0000000000CE4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads