hawkeye | 1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tetrishack.bat
Size

1KB
MD5

729e4888ead4281eaa0644ee732b21e2
SHA1

f3425091a72fb93c0de2c8c0729530263c3a3f05
SHA256

1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50
SHA512

59f308be4061bce350e99f9f8bc7d7e9de0ff2a7a660845eaa71abf81a9928e98d78961290dc0fdac93acc913f4cd034488dbb4d5bea2b74cda6502f352d08bf

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2380	WMIC.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2948	timeout.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	whoami.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe
Token: 34	588	WMIC.exe
Token: 35	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3056	976	cmd.exe	32
PID 976 wrote to memory of 3056	976	cmd.exe	32
PID 976 wrote to memory of 3056	976	cmd.exe	32
PID 976 wrote to memory of 2380	976	cmd.exe	33
PID 976 wrote to memory of 2380	976	cmd.exe	33
PID 976 wrote to memory of 2380	976	cmd.exe	33
PID 976 wrote to memory of 588	976	cmd.exe	35
PID 976 wrote to memory of 588	976	cmd.exe	35
PID 976 wrote to memory of 588	976	cmd.exe	35
PID 976 wrote to memory of 2744	976	cmd.exe	36
PID 976 wrote to memory of 2744	976	cmd.exe	36
PID 976 wrote to memory of 2744	976	cmd.exe	36
PID 976 wrote to memory of 2888	976	cmd.exe	37
PID 976 wrote to memory of 2888	976	cmd.exe	37
PID 976 wrote to memory of 2888	976	cmd.exe	37
PID 976 wrote to memory of 2948	976	cmd.exe	38
PID 976 wrote to memory of 2948	976	cmd.exe	38
PID 976 wrote to memory of 2948	976	cmd.exe	38
PID 976 wrote to memory of 2740	976	cmd.exe	39
PID 976 wrote to memory of 2740	976	cmd.exe	39
PID 976 wrote to memory of 2740	976	cmd.exe	39
PID 976 wrote to memory of 2920	976	cmd.exe	40
PID 976 wrote to memory of 2920	976	cmd.exe	40
PID 976 wrote to memory of 2920	976	cmd.exe	40
PID 976 wrote to memory of 2160	976	cmd.exe	41
PID 976 wrote to memory of 2160	976	cmd.exe	41
PID 976 wrote to memory of 2160	976	cmd.exe	41
PID 976 wrote to memory of 2784	976	cmd.exe	42
PID 976 wrote to memory of 2784	976	cmd.exe	42
PID 976 wrote to memory of 2784	976	cmd.exe	42
PID 976 wrote to memory of 2612	976	cmd.exe	43
PID 976 wrote to memory of 2612	976	cmd.exe	43
PID 976 wrote to memory of 2612	976	cmd.exe	43
PID 976 wrote to memory of 2736	976	cmd.exe	44
PID 976 wrote to memory of 2736	976	cmd.exe	44
PID 976 wrote to memory of 2736	976	cmd.exe	44
PID 976 wrote to memory of 1532	976	cmd.exe	45
PID 976 wrote to memory of 1532	976	cmd.exe	45
PID 976 wrote to memory of 1532	976	cmd.exe	45
PID 976 wrote to memory of 2184	976	cmd.exe	46
PID 976 wrote to memory of 2184	976	cmd.exe	46
PID 976 wrote to memory of 2184	976	cmd.exe	46
PID 976 wrote to memory of 1756	976	cmd.exe	47
PID 976 wrote to memory of 1756	976	cmd.exe	47
PID 976 wrote to memory of 1756	976	cmd.exe	47
PID 976 wrote to memory of 852	976	cmd.exe	48
PID 976 wrote to memory of 852	976	cmd.exe	48
PID 976 wrote to memory of 852	976	cmd.exe	48
PID 976 wrote to memory of 548	976	cmd.exe	49
PID 976 wrote to memory of 548	976	cmd.exe	49
PID 976 wrote to memory of 548	976	cmd.exe	49
PID 976 wrote to memory of 1816	976	cmd.exe	50
PID 976 wrote to memory of 1816	976	cmd.exe	50
PID 976 wrote to memory of 1816	976	cmd.exe	50
PID 976 wrote to memory of 2516	976	cmd.exe	51
PID 976 wrote to memory of 2516	976	cmd.exe	51
PID 976 wrote to memory of 2516	976	cmd.exe	51
PID 976 wrote to memory of 2268	976	cmd.exe	53
PID 976 wrote to memory of 2268	976	cmd.exe	53
PID 976 wrote to memory of 2268	976	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tetrishack.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\Wbem\WMIC.exe
  wmic logicaldisk get caption
  2⤵
  - Collects information from the system
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get capacity
  2⤵
  PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt"
  2⤵
  PID:2888
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s /a-d "C:\Users\Admin\*.txt" 2>nul
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
  2⤵
  PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt"
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1DE2.txt"
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E19.txt"
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1DE2.txt"
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1E19.txt"
  2⤵
  PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051522_401.txt"
  2⤵
  PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051522_760.txt"
  2⤵
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt"
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051511232-MSI_netfx_Full_x64.msi.txt"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\AlternateServices.txt"
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
272B

MD5
bf8fffc146436ca3b2d55a836fc474cc

SHA1
aa6a3d8e1339c3a4e951f3044f033d2bbeef22b9

SHA256
3d48394768d2145e5b7e614f00d65b09c4639670a96301dda33849ff8cc76e6e

SHA512
ee3f9c0aed0ee8308b72388ae826bacb4e11feda62730ba4ae506e7f8e1648bb52f3ca0827afeb01ebba8afba547db48b9d741fb2f4eebff3cdac1a675d80491

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
290B

MD5
be0f39524b1498191136cfa366da22ab

SHA1
a31ca4b93aad2c2d3bd350d81bacf9d03ecbbc10

SHA256
8216ebac7b61e1d74f54f4dfdb49295874ce5016e324ff63a992bdf571bd9668

SHA512
9308a04912c75a23ccb3323567ea2ac7d76aed5c6fc2cc182af7ef018c491d5b25c64362f8e0c5508d8c436ab328db0ce7f27a56aca7d03141cbfbfe63ddae14

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
3caeabe2281c1ba2a00ce784b839c814

SHA1
8841e0b964986129618ab9dd3c351aa6068bc83f

SHA256
47f9db45992f8d6592e7cb7dca6b55aeb25954bd454ce0774f3d7e2f02a35362

SHA512
6289dd7327fb0d4a40262d466a007df0e2e97f83f1258f86e5b7d61b0a1d63cf44fcad9462509c89a10a2b4572ced2ce5992a575b1a816ab1614426fbef9f995

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
1KB

MD5
7b00dfa947e8eb5dffed0767ffe1fe78

SHA1
fa98f7dc4598dc03e8e9dbe0c9a178eb5a04f578

SHA256
40ee869ee29ba584ff9c3ed0014c45dde3a1a84d7543fa280ebb5d0aa057804e

SHA512
5bbfea579d7f7a82a65211c730afe6e0f88a163634aae4ab1150a5ecf63a9b5a81378b2fc76b9a042407db286a857d79d635b239155964e41da9067889758e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
2KB

MD5
0bf003e95016091958616e170de6420b

SHA1
a406b7a83f02c4952e970206e96e1ffbf659dbe4

SHA256
6080befe26d280ea4d5d3bff36df50b96105dc1a177b16ba765b7afd026db926

SHA512
5a15209096c0b76f9511a934de7f50c3c0d1807456c3325ba5dc7d20ef1db491a6521cdf4f24660c93483ba21f47bd66ff8165515f7ff74116327fbe803536cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
235df1b05e4a660fd8bf1f315c527e40

SHA1
e78171f02b7760dfb28738d5beda7373fa98aac6

SHA256
22e2e5d81bb47c3e802a934ba2cf7a61243350949c2c72f3bb20fa5686aa352f

SHA512
40d2ac2878c917b356d4c32db298a89782da5e45284f8d1f8cdd8cf445d8ac4e69a8f1d0ac32b77ebcca08881338e2c403ff3a6ee28f5cb2d0fa54e85b6528fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
2811779e45e51bf43b7c1ccdbd1ab982

SHA1
53ed5a4a03a3cf7f62d9d324fc66b1f8b119427e

SHA256
f58961165d886148769e908ad2438dd2ffa52519f3112a207b3088fb7657b676

SHA512
c1612de066e0cd6a4dbcb3281e832abc7f54d66b6414c0bfd1d922df97de78e5aeaab4231f9394d15ca81d6f49ba48da5f673436e8081a83fcc57eb4892e326c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
286B

MD5
ef35f42c6f0fe6df36c984f5812038f3

SHA1
b9a810f0ae95752061247c5a9c8c94c0bf176a51

SHA256
a19ba81a1bf45ec4223b854695a3cfaa9e07844a2fbc3aa82beb437d21a5351c

SHA512
4eb0e538e8db3730deda03cfd67118c91e4c8421dbdfaa97a52e3e67f2a2d28f8d93324eac7229fb72ef4dcb4e438514400118b945dc0cd96759ec57966c4c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
286B

MD5
c4d3d83781cf2ff6267b7502d9580f84

SHA1
52e0deb1e9c50771164239fb54a20726c1d75fad

SHA256
61d122dddc5a372f01341217fd79d47fdd505b4c14a9e79506bfd6ea756f5bf2

SHA512
9cba49d80f0de4ab588f68692aa154d3e64d2b30ff98f798925580638ec27dafab652e633edbd4102951370a2ab56c142796e017ac73370a715daaa4f86af686

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
267B

MD5
38617cc3f20c1def15a3fbc64ccd38c1

SHA1
a3eb0a1b3d0a9ae78e8ff8d911c99df33f3467d6

SHA256
ee96b3bca7e263907848d174d86970624b3dfb1edb9ff99b45839957e0c822c3

SHA512
b026571af2e1cdd19129b88a1f701178fd7f43d956581bad9d2abc69a496eff86b64627fdfd8e8b6e869863b7b2e430216799aea4bf310dac1790b4fa2d28c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
781B

MD5
7fe95a59362e5a39d4d76e15fc17b285

SHA1
48da3991fda8d606676cd89d6bf4c8ebec15b659

SHA256
410a786d7b5d64a6ea0e56039a5e1082b5e870c47658bfec9a57ec133af099f5

SHA512
dcf0f14aa498d7ff871880da74dc653de52b69575719939894bdf0e3eaee8d63c475ba0d8233c4fdfa79dce9a477f64e9c6a6dd91985ff0635c649403c361eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
328B

MD5
36736c474d1088cfd73e9fd3a8c3ebbe

SHA1
87ab1caaf518e0a0d26df55e110eff0cfc726850

SHA256
f8d68e19ea4c8c64697b7f26a1bc45fd2cf21cc39dd2bdb9a06d5a7c9b8d860d

SHA512
619cde4dc4134e44be8852d6110325747805e5b32656c88c9a63ac803a8865922c3dc1974ba4bf2a5c4bee0b502c2719cfa9c74bda63598f05acea93f8a976b2

Download Submit