hawkeye | f9e10510e6e41ecfde42194fdc2cf7794396685ae4f62f0139b914506e6d440a

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment. Slip.........exe
Size

891KB
MD5

97b5a0664daa1d56844f28f5c7a7c298
SHA1

a185680cd60792ef667c3b164a263d392a88b816
SHA256

d3ce55e58da38a50612d5bc9c2ffcff110e1d591e90fc7475cf952fa9ff1f676
SHA512

3745e961140b5efe45858cdf5217d82fde55fa666c950d1af5036616f2cc461ffbbde8672d16e1d2f09133c2d4680cbecf5a51ba56daa9c42bedf85465b3dea6
SSDEEP

12288:tGHwKgGVmFSMjt9cKpy7a6fSp3GYg26anGXHyjEoXfM0y2nyjzBU+Qkw:tewKU6Kpy7a6fgG/26aEybXfD/nuBhQ

Score

10^/10

hawkeye collection discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Executes dropped EXE 3 IoCs

pid	Process
2464	NcbService.exe
2632	CertPropSvc.exe
628	CertPropSvc.exe

Loads dropped DLL 2 IoCs

pid	Process
1452	Payment. Slip.........exe
2464	NcbService.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 2740	1452	Payment. Slip.........exe	31
PID 2740 set thread context of 1992	2740	Payment. Slip.........exe	35
PID 2740 set thread context of 2144	2740	Payment. Slip.........exe	38
PID 2632 set thread context of 628	2632	CertPropSvc.exe	40
PID 2420 set thread context of 112	2420	takshost.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment. Slip.........exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment. Slip.........exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NcbService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertPropSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertPropSvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
2464	NcbService.exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe
1452	Payment. Slip.........exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1452	Payment. Slip.........exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	Payment. Slip.........exe
Token: SeDebugPrivilege	2464	NcbService.exe
Token: SeDebugPrivilege	2632	CertPropSvc.exe
Token: SeDebugPrivilege	2740	Payment. Slip.........exe
Token: SeDebugPrivilege	1992	vbc.exe
Token: SeDebugPrivilege	2420	takshost.exe
Token: SeDebugPrivilege	2144	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	Payment. Slip.........exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2740	1452	Payment. Slip.........exe	31
PID 1452 wrote to memory of 2464	1452	Payment. Slip.........exe	32
PID 1452 wrote to memory of 2464	1452	Payment. Slip.........exe	32
PID 1452 wrote to memory of 2464	1452	Payment. Slip.........exe	32
PID 1452 wrote to memory of 2464	1452	Payment. Slip.........exe	32
PID 2464 wrote to memory of 2632	2464	NcbService.exe	33
PID 2464 wrote to memory of 2632	2464	NcbService.exe	33
PID 2464 wrote to memory of 2632	2464	NcbService.exe	33
PID 2464 wrote to memory of 2632	2464	NcbService.exe	33
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 2740 wrote to memory of 1992	2740	Payment. Slip.........exe	35
PID 1452 wrote to memory of 2420	1452	Payment. Slip.........exe	37
PID 1452 wrote to memory of 2420	1452	Payment. Slip.........exe	37
PID 1452 wrote to memory of 2420	1452	Payment. Slip.........exe	37
PID 1452 wrote to memory of 2420	1452	Payment. Slip.........exe	37
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2740 wrote to memory of 2144	2740	Payment. Slip.........exe	38
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2632 wrote to memory of 628	2632	CertPropSvc.exe	40
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41
PID 2420 wrote to memory of 112	2420	takshost.exe	41

C:\Users\Admin\AppData\Local\Temp\Payment. Slip.........exe
"C:\Users\Admin\AppData\Local\Temp\Payment. Slip.........exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\Payment. Slip.........exe
  "C:\Users\Admin\AppData\Local\Temp\Payment. Slip.........exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
96f2b50b5d3613adf9c27049b2a888c7

SHA1
2064bb658055413362da3577dc8c8541aa9814fd

SHA256
f7c08cbf489b79dd62a9aea931d773dcf79833747a511b56600c88358c595304

SHA512
79550a36156f3fea3abc8d58cd92ecc4fe0ff7c62d9f09fe97f2d834618d5fab002e9cc07054036247ef7388a432cdbf0bb2b994bdaddec3f63c6937407d014f

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt

Filesize
59B

MD5
3df07d97f6f0bbcc8c93b0d46232fdf8

SHA1
a2e514a76ab5c152951d75bdc9bee892e46e25c8

SHA256
2cb18138d4102a1f2b06c220e5b14bc10dd34b695c0863b31e98c3301c0bea5b

SHA512
2a118d41a44ba4c83bef613caa060363ca0d1878eb09a35a65604c9e00bfea0fc712a37da81c0965905d247bec0cb9e432e7adfaab85d0a4b593b5d982d3ef54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe

Filesize
891KB

MD5
97b5a0664daa1d56844f28f5c7a7c298

SHA1
a185680cd60792ef667c3b164a263d392a88b816

SHA256
d3ce55e58da38a50612d5bc9c2ffcff110e1d591e90fc7475cf952fa9ff1f676

SHA512
3745e961140b5efe45858cdf5217d82fde55fa666c950d1af5036616f2cc461ffbbde8672d16e1d2f09133c2d4680cbecf5a51ba56daa9c42bedf85465b3dea6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
3e40583ed2387cac83e28e6ec00cb8c3

SHA1
b1e9796b654c5a61a29919dcd40a2ffe6aa90f73

SHA256
30517f52076040c09a0d5ffb77d5c37ffffe0d292b48a431e3e9c3ffc71e08cb

SHA512
bba61f8dbf0360614cd9e67d6f36ccad73be98e7f8dbd68862d9d0ca95b6ed827587b4933eb1d14c72d562211ac3504894ad0eddb91684f88f1070fed406524d

Download Submit
memory/628-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1452-1-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-2-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-3-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/1452-54-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1992-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-41-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-39-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2144-55-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-73-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-67-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-57-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-59-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-66-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-61-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2144-63-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2464-27-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-34-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-16-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-19-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-10-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-8-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-18-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-33-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-20-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-6-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-14-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2740-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download