Overview

overview

10

Static

static

dddc03048f...e4.exe

windows7-x64

10

dddc03048f...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    230s
  • max time network
    235s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe

  • Size

    257KB

  • MD5

    a911bfbc1a3e58c90af3068277d897bd

  • SHA1

    230a72563a253e262a64d7bbc2ef9f64c317f35b

  • SHA256

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4

  • SHA512

    0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049

  • SSDEEP

    6144:qha6zCh4avYHQA2R2rdhifyMSGL0Cv9CV+b3rT:qMhHmQAKMi0Y0CVm+bbT

Score
10/10
hawkeyeevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe
    "C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2092
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4872
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4676
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4816
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4456
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:3908
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Users\Admin\AppData\Local\Temp\DirectDB.exe
          "C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Suspicious use of SetWindowsHookEx
            PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DirectDB.exe
    Filesize

    257KB

    MD5

    a911bfbc1a3e58c90af3068277d897bd

    SHA1

    230a72563a253e262a64d7bbc2ef9f64c317f35b

    SHA256

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4

    SHA512

    0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\DirectDB.exe
    Filesize

    257KB

    MD5

    a911bfbc1a3e58c90af3068277d897bd

    SHA1

    230a72563a253e262a64d7bbc2ef9f64c317f35b

    SHA256

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4

    SHA512

    0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    69104f0c944088ee37ca4cf4cbcc9c00

    SHA1

    3f94dc72bfeea22f624c6ecef5d6e2c17258d2b0

    SHA256

    7f860d55082a3ff57afc71722dc912844588c505d87b477cded8a1034379d92b

    SHA512

    827e5df941257efd902e2f3e82dd7f867c9aca97889590f12284696548957a355c5b97f92a198fff53538a4f310e80070b193de4e031783806738e6334081fbb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    257KB

    MD5

    a911bfbc1a3e58c90af3068277d897bd

    SHA1

    230a72563a253e262a64d7bbc2ef9f64c317f35b

    SHA256

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4

    SHA512

    0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    257KB

    MD5

    a911bfbc1a3e58c90af3068277d897bd

    SHA1

    230a72563a253e262a64d7bbc2ef9f64c317f35b

    SHA256

    dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4

    SHA512

    0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe
    Filesize

    9KB

    MD5

    c9c4b5fd14511b6241a36a3d6437973f

    SHA1

    03d39cf5b9ade55b41fdabc25c3140ebfd444c1c

    SHA256

    c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf

    SHA512

    67e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe
    Filesize

    9KB

    MD5

    c9c4b5fd14511b6241a36a3d6437973f

    SHA1

    03d39cf5b9ade55b41fdabc25c3140ebfd444c1c

    SHA256

    c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf

    SHA512

    67e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14

    Download Submit
  • memory/1584-144-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1584-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-141-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1584-143-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1584-145-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/2092-152-0x0000000000000000-mapping.dmp
    Download
  • memory/3472-165-0x0000000000000000-mapping.dmp
    Download
  • memory/3868-174-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3868-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3868-156-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3908-160-0x0000000000000000-mapping.dmp
    Download
  • memory/3924-139-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3924-137-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3924-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3988-175-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3988-162-0x0000000000000000-mapping.dmp
    Download
  • memory/3988-164-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4112-155-0x0000000000000000-mapping.dmp
    Download
  • memory/4132-154-0x0000000000000000-mapping.dmp
    Download
  • memory/4456-159-0x0000000000000000-mapping.dmp
    Download
  • memory/4676-153-0x0000000000000000-mapping.dmp
    Download
  • memory/4804-136-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4804-132-0x0000000074E10000-0x00000000753C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4816-157-0x0000000000000000-mapping.dmp
    Download
  • memory/4872-158-0x0000000000000000-mapping.dmp
    Download