Overview

overview

10

Static

static

0e950eca49...da.exe

windows7-x64

10

0e950eca49...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe

  • Size

    561KB

  • MD5

    e2edbdf4559a85cd198c10814871a6bc

  • SHA1

    6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55

  • SHA256

    0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda

  • SHA512

    a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea

  • SSDEEP

    12288:DHkGcrDdXoIu8YVlGxYl/5ozNfCOQgeYSSZiCJBp:7RciIu8YVlSe/5ozNmYSqi+p

Score
10/10
hawkeyekeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe
    "C:\Users\Admin\AppData\Local\Temp\0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Roaming\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    2604d7ffddc312ead7c9c41be977afe8

    SHA1

    c7c7658bd8d4da6a3737d5bfaa4607d22ec44e53

    SHA256

    32d557da5c5805f32d343689da4fdadadc887c6a95e1a099883ce9694d501c49

    SHA512

    2812c90efb8305df394b8771fb95bec938893726192aa25272dc5afb6ec2d2ab2c5eb087da26130c2740db9f6890469392f1f55639a2624179b0c97e01981c1b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    561KB

    MD5

    e2edbdf4559a85cd198c10814871a6bc

    SHA1

    6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55

    SHA256

    0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda

    SHA512

    a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    561KB

    MD5

    e2edbdf4559a85cd198c10814871a6bc

    SHA1

    6fdc576b9a9bedf6c7ce20e827ca1a93f1267d55

    SHA256

    0e950eca49ee16e2629dca650b34f35a021dc9a56772e084cc9c8ff2754dfdda

    SHA512

    a99ddb12fa68d785a5e3b176fd74b0ebb3db6f9a7a6635e26a344315724a277474e79cd84a913b2e29f3b7fe6db4323b1a0c5de5cafe43850469ba4d3d1b81ea

    Download Submit
  • memory/1072-132-0x0000000074AE0000-0x0000000075091000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1072-133-0x0000000074AE0000-0x0000000075091000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1072-138-0x0000000074AE0000-0x0000000075091000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4744-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4744-137-0x0000000074AE0000-0x0000000075091000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4744-139-0x0000000074AE0000-0x0000000075091000-memory.dmp
    Filesize

    5.7MB

    Download