Analysis
-
max time kernel
187s -
max time network
231s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-12-2022 22:11
General
-
Target
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe
-
Size
257KB
-
MD5
a911bfbc1a3e58c90af3068277d897bd
-
SHA1
230a72563a253e262a64d7bbc2ef9f64c317f35b
-
SHA256
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
-
SHA512
0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
SSDEEP
6144:qha6zCh4avYHQA2R2rdhifyMSGL0Cv9CV+b3rT:qMhHmQAKMi0Y0CVm+bbT
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe"C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD569104f0c944088ee37ca4cf4cbcc9c00
SHA13f94dc72bfeea22f624c6ecef5d6e2c17258d2b0
SHA2567f860d55082a3ff57afc71722dc912844588c505d87b477cded8a1034379d92b
SHA512827e5df941257efd902e2f3e82dd7f867c9aca97889590f12284696548957a355c5b97f92a198fff53538a4f310e80070b193de4e031783806738e6334081fbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
9KB
MD5c9c4b5fd14511b6241a36a3d6437973f
SHA103d39cf5b9ade55b41fdabc25c3140ebfd444c1c
SHA256c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf
SHA51267e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
9KB
MD5c9c4b5fd14511b6241a36a3d6437973f
SHA103d39cf5b9ade55b41fdabc25c3140ebfd444c1c
SHA256c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf
SHA51267e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14
-
\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
9KB
MD5c9c4b5fd14511b6241a36a3d6437973f
SHA103d39cf5b9ade55b41fdabc25c3140ebfd444c1c
SHA256c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf
SHA51267e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14
-
memory/588-97-0x0000000000000000-mapping.dmp
-
memory/1072-94-0x0000000000000000-mapping.dmp
-
memory/1148-93-0x0000000000000000-mapping.dmp
-
memory/1348-86-0x0000000000000000-mapping.dmp
-
memory/1460-85-0x0000000000000000-mapping.dmp
-
memory/1468-95-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1468-74-0x0000000000000000-mapping.dmp
-
memory/1468-127-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1704-96-0x0000000000000000-mapping.dmp
-
memory/1716-65-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-81-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-80-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-79-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-71-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-69-0x0000000000479210-mapping.dmp
-
memory/1716-68-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-67-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1716-99-0x000000000044E000-0x000000000047A000-memory.dmpFilesize
176KB
-
memory/1716-128-0x000000000044E000-0x000000000047A000-memory.dmpFilesize
176KB
-
memory/1716-64-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1828-87-0x0000000000000000-mapping.dmp
-
memory/1896-88-0x0000000000000000-mapping.dmp
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1904-62-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1904-126-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1920-105-0x0000000000000000-mapping.dmp
-
memory/1920-125-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1920-129-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1928-113-0x0000000000479210-mapping.dmp
-
memory/1928-124-0x000000000044E000-0x000000000047A000-memory.dmpFilesize
176KB
-
memory/1976-61-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1976-55-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1976-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB