Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2023 15:37

General

  • Target

    HawkEye.exe

  • Size

    232KB

  • MD5

    60fabd1a2509b59831876d5e2aa71a6b

  • SHA1

    8b91f3c4f721cb04cc4974fc91056f397ae78faa

  • SHA256

    1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

  • SHA512

    3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

  • SSDEEP

    3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Malware Config

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 37 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HawkEye.exe
    "C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"
    1⤵
    • Chimera
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a5484c827b56247658bec14728b7bb7e

    SHA1

    651c10f48d276144f6f6d00213ccd229cfa9eb1a

    SHA256

    5cb8a5288d4a26013b508188667b825cc8e19a059826efd26a26498543e9ab9e

    SHA512

    8420049d96275371c5b22f30dc2951f3360c1025b5915b15b2861544eb5f186aec35f1deb484f979df1612cda2290bd07185f3e162e885005815da61a288d1bb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NTHV7PNF.txt

    Filesize

    608B

    MD5

    d29257e33ee12c61dcaf9a9a6853a99c

    SHA1

    9aec0878bb076f8c3916ca9c8d989edd4bdd8be4

    SHA256

    74870b36515eb819d23730041b2eb9e18a353de1a1fb5c5883b486bce69566ae

    SHA512

    1f71da3d2890614445f0940f9c487ac5b0b1839688a146615452a64850813244f1d21f57454ee7d70cac533d42ac182277488cfc8e57e18375b5ae2cd63d6f92

  • C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML

    Filesize

    4KB

    MD5

    21967d1ee18b48113767426dec5cc634

    SHA1

    c36c1e898499e049870127d79775826570a71612

    SHA256

    8bc691eaaa8e2a992287f491b0884928ecffbc84d812f6cd30251bd937f0182b

    SHA512

    ed18a9f793d5ce25f6dd3e01b2fadda808c5d110b636fff244824de2f42506c5537dfdb88e50285381da2b31cc84606a8c28b24b6c86cf203580518f506c3634

  • memory/1264-54-0x0000000075531000-0x0000000075533000-memory.dmp

    Filesize

    8KB

  • memory/1264-55-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

  • memory/1264-59-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/1264-60-0x0000000000567000-0x000000000057D000-memory.dmp

    Filesize

    88KB

  • memory/1264-61-0x00000000004F0000-0x000000000050A000-memory.dmp

    Filesize

    104KB

  • memory/1264-62-0x0000000074810000-0x0000000074DBB000-memory.dmp

    Filesize

    5.7MB

  • memory/1264-63-0x0000000000567000-0x000000000057D000-memory.dmp

    Filesize

    88KB

  • memory/1264-64-0x00000000004F0000-0x000000000050A000-memory.dmp

    Filesize

    104KB