hawkeye | d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd

General

Target

d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
Size

17KB
MD5

c6ef22d341307db526ba8f5fe2a00d12
SHA1

915e592739f6561fa871d0754f12a3a3d50153ee
SHA256

d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd
SHA512

5b34ff33b0c42e0b6fd3eeeeca7accf44b2b4bd71b834a047fcccb321413b046b93db335da6c4b626fae352ff40e6219aa1adcce871f80dd0a06d59ff1340bd0

Score

10^/10

hawkeye nworm downloader keylogger spyware stealer trojan worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

win32update.duckdns.org:5553

xmrdjo.duckdns.org:5553

Mutex

4f9c371b

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Executes dropped EXE 1 IoCs

Processes:

Windowsupdate.exe

pid	Process
756	Windowsupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1316	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1764	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe

description	pid	Process
Token: SeDebugPrivilege	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.execmd.exe

description	pid	Process	procid_target
PID 888 wrote to memory of 1316	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	27
PID 888 wrote to memory of 1316	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	27
PID 888 wrote to memory of 1316	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	27
PID 888 wrote to memory of 1116	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	29
PID 888 wrote to memory of 1116	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	29
PID 888 wrote to memory of 1116	888	d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe	29
PID 1116 wrote to memory of 1764	1116	cmd.exe	31
PID 1116 wrote to memory of 1764	1116	cmd.exe	31
PID 1116 wrote to memory of 1764	1116	cmd.exe	31
PID 1116 wrote to memory of 756	1116	cmd.exe	32
PID 1116 wrote to memory of 756	1116	cmd.exe	32
PID 1116 wrote to memory of 756	1116	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Windowsupdate.exe"' /tr "'C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:1316
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp89BA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Users\Admin\AppData\Roaming\Windowsupdate.exe
    "C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"
    3⤵
    - Executes dropped EXE
    PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp89BA.tmp.bat

Filesize
89B

MD5
033673bbc9f9098fa6038b35caf5e481

SHA1
6de43698c050a0a2145d74a490c2126b335a66da

SHA256
206c5a70961c6cc66645a936992b4bdec32a77afb3d85495e90a27fa5f018b5c

SHA512
baca957fd5bc67679d14b54c30db490dbf0964e7854d658e2f5510ac4bbdaa2b13f324ce82f7191ac02cf847a381cc4c29c199cb0a4ddb0a76d8cb4531cc0e70

Download Submit
C:\Users\Admin\AppData\Roaming\Windowsupdate.exe

Filesize
47.7MB

MD5
df4cc6a6deff50ad67716b9a6c4cbb4a

SHA1
f793e8ad154838eff970f44b0d1dc189d6ebc207

SHA256
e3d98d06667e487fd69fb93f3ce988e389fa332e4db657474852f0d75b225630

SHA512
1d4b2e05aaa0d17ec75187db0175b0afb391b7dc8f175cf394a469ebfabb0ad6fda9758ea05bcd54316efdd835676253d2b830d0f0bee612df78a1d230d11b72

Download Submit
C:\Users\Admin\AppData\Roaming\Windowsupdate.exe

Filesize
47.7MB

MD5
df4cc6a6deff50ad67716b9a6c4cbb4a

SHA1
f793e8ad154838eff970f44b0d1dc189d6ebc207

SHA256
e3d98d06667e487fd69fb93f3ce988e389fa332e4db657474852f0d75b225630

SHA512
1d4b2e05aaa0d17ec75187db0175b0afb391b7dc8f175cf394a469ebfabb0ad6fda9758ea05bcd54316efdd835676253d2b830d0f0bee612df78a1d230d11b72

Download Submit
memory/756-60-0x0000000000000000-mapping.dmp

Download
memory/756-63-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/888-54-0x0000000001240000-0x000000000124A000-memory.dmp

Filesize
40KB

Download
memory/888-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmp

Filesize
8KB

Download
memory/1116-57-0x0000000000000000-mapping.dmp

Download
memory/1316-56-0x0000000000000000-mapping.dmp

Download
memory/1764-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads