Analysis Overview
SHA256
376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf
Threat Level: Known bad
The file 376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf was found to be: Known bad.
Malicious Activity Summary
HawkEye Reborn
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-25 23:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 23:21
Reported
2022-06-26 01:13
Platform
win7-20220414-en
Max time kernel
85s
Max time network
90s
Command Line
Signatures
HawkEye Reborn
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe | C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe
"C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe"
C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe
"C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/2024-54-0x0000000075381000-0x0000000075383000-memory.dmp
memory/2024-55-0x00000000746C0000-0x0000000074C6B000-memory.dmp
memory/2024-56-0x00000000746C0000-0x0000000074C6B000-memory.dmp
memory/1676-57-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-58-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-60-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-61-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-63-0x000000000048B2BE-mapping.dmp
memory/1676-65-0x0000000000080000-0x0000000000110000-memory.dmp
memory/2024-66-0x00000000746C0000-0x0000000074C6B000-memory.dmp
memory/1676-64-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-70-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-73-0x0000000000080000-0x0000000000110000-memory.dmp
memory/1676-75-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1372-76-0x0000000000000000-mapping.dmp
memory/1676-78-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1676-79-0x0000000074110000-0x00000000746BB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 23:21
Reported
2022-06-26 01:13
Platform
win10v2004-20220414-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
HawkEye Reborn
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3148 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe | C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe
"C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe"
C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe
"C:\Users\Admin\AppData\Local\Temp\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.18:443 | tcp | |
| US | 20.189.173.10:443 | tcp | |
| DE | 67.24.27.254:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/3148-130-0x0000000074660000-0x0000000074C11000-memory.dmp
memory/3148-131-0x0000000074660000-0x0000000074C11000-memory.dmp
memory/2476-132-0x0000000000000000-mapping.dmp
memory/2476-133-0x0000000000400000-0x0000000000490000-memory.dmp
memory/3148-134-0x0000000074660000-0x0000000074C11000-memory.dmp
memory/2476-135-0x0000000074660000-0x0000000074C11000-memory.dmp
memory/2476-136-0x0000000074660000-0x0000000074C11000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\376db80f0b170cada6cf77f75d771181ab54be58862497501f1ad8287426c7bf.exe.log
| MD5 | bb02d2315b8c3d46390cc8852c350909 |
| SHA1 | c7eb57165fb7be0cec9a282a56449d35a3e39a53 |
| SHA256 | 6b04fbf03b5064dc32c8cbc7e5f125339ca297622487ed4269da381fa50b7290 |
| SHA512 | e395ec8866c9ba864bd59bfb84a88538a053740d66e2fa83926597b2e4b357a55f794c5b39c5ae43353f4debc865ec6b4c60494da32a10e643582b6ae130d080 |
memory/2476-138-0x0000000074660000-0x0000000074C11000-memory.dmp