Analysis
-
max time kernel
153s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
04-12-2022 22:59
General
-
Target
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe
-
Size
220KB
-
MD5
2b8767529bdf678f3b6adb26da46f393
-
SHA1
d375c1af8dda778fbfb2898447838ffe245a9f8d
-
SHA256
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
-
SHA512
57bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
SSDEEP
6144:vU5B0NZ2oFsETmEY83TN5ZZDbDBH+RBE0/F:QOtFsoVYAjmhF
Malware Config
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Modifies firewall policy service 2 TTPs 10 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5029a6f5aa81356b56a20e48e3a8b0000
SHA1f991d6237acc68b0d8332409071ac63b602298ca
SHA256177871646137e558b8746ee66f634f7d29a56112dbbcb4eed8bba87136b08568
SHA5129d0d1aa7244cc8ba54ada413ce54e03e3d128b59fb7c80d7518c5d1944e870e9d666a418d8656ca703ee88059c05c70aa9845b38b5a536025e091681c6f1d780
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
memory/1284-153-0x0000000000000000-mapping.dmp
-
memory/1380-143-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-141-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-144-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-145-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-140-0x0000000000000000-mapping.dmp
-
memory/1424-159-0x0000000000000000-mapping.dmp
-
memory/2080-137-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2080-133-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2080-132-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2140-173-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2140-162-0x0000000000000000-mapping.dmp
-
memory/2140-176-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2216-158-0x0000000000000000-mapping.dmp
-
memory/2312-157-0x0000000000000000-mapping.dmp
-
memory/2380-156-0x0000000000000000-mapping.dmp
-
memory/2420-161-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2420-149-0x0000000000000000-mapping.dmp
-
memory/2420-175-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/3988-154-0x0000000000000000-mapping.dmp
-
memory/4152-155-0x0000000000000000-mapping.dmp
-
memory/4268-152-0x0000000000000000-mapping.dmp
-
memory/4500-139-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4500-174-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4500-134-0x0000000000000000-mapping.dmp
-
memory/5068-164-0x0000000000000000-mapping.dmp