Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
04-12-2022 22:59
General
-
Target
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe
-
Size
220KB
-
MD5
2b8767529bdf678f3b6adb26da46f393
-
SHA1
d375c1af8dda778fbfb2898447838ffe245a9f8d
-
SHA256
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
-
SHA512
57bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
SSDEEP
6144:vU5B0NZ2oFsETmEY83TN5ZZDbDBH+RBE0/F:QOtFsoVYAjmhF
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f1⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5029a6f5aa81356b56a20e48e3a8b0000
SHA1f991d6237acc68b0d8332409071ac63b602298ca
SHA256177871646137e558b8746ee66f634f7d29a56112dbbcb4eed8bba87136b08568
SHA5129d0d1aa7244cc8ba54ada413ce54e03e3d128b59fb7c80d7518c5d1944e870e9d666a418d8656ca703ee88059c05c70aa9845b38b5a536025e091681c6f1d780
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
memory/832-64-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-65-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-72-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-75-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-76-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-77-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-130-0x0000000000449000-0x0000000000472000-memory.dmpFilesize
164KB
-
memory/832-126-0x0000000000449000-0x0000000000472000-memory.dmpFilesize
164KB
-
memory/832-69-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-68-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/832-70-0x00000000004710F0-mapping.dmp
-
memory/840-104-0x0000000000000000-mapping.dmp
-
memory/968-100-0x0000000000000000-mapping.dmp
-
memory/980-131-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/980-127-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/980-86-0x0000000000000000-mapping.dmp
-
memory/988-125-0x0000000000449000-0x0000000000472000-memory.dmpFilesize
164KB
-
memory/988-114-0x00000000004710F0-mapping.dmp
-
memory/1040-82-0x0000000000000000-mapping.dmp
-
memory/1128-87-0x0000000000000000-mapping.dmp
-
memory/1344-129-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/1344-58-0x0000000000000000-mapping.dmp
-
memory/1344-66-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/1504-101-0x0000000000000000-mapping.dmp
-
memory/1524-81-0x0000000000000000-mapping.dmp
-
memory/1540-84-0x0000000000000000-mapping.dmp
-
memory/1720-55-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/1720-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1720-62-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/1736-99-0x0000000000000000-mapping.dmp
-
memory/1860-128-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/1860-98-0x0000000000000000-mapping.dmp
-
memory/1860-132-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB