Overview

overview

10

Static

static

f875336962...7e.exe

windows7-x64

10

f875336962...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2023 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe

  • Size

    149KB

  • MD5

    0fac315ec4746ef1c689913d24313442

  • SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

  • SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

  • SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

  • SSDEEP

    3072:pdHHCd42U7jKXznulGJ5gywZCHjWV/2IBh5wtOZ7Q:pxHN7juznxvgyiEjWVeIBh5IOW

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe
    "C:\Users\Admin\AppData\Local\Temp\f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:540
      • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
        "C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
          "C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Suspicious use of SetWindowsHookEx
            PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    355393ee7ce338212c791d6f2a1ca0e3

    SHA1

    8a383112fc6d881ecfa2d0d5dfdcea437d55fd4b

    SHA256

    a0e1021bf918b0eb199a6efa61179b7a7b4504a42b40e8606b8f10fae9c2913a

    SHA512

    163a9159c13bad41b3781e28c828f803d7ed2a0a6ebe765483b5278b445ae2881b813fd9bf7c9f83be89f4faef6efbae84922208cf8baaca878df3dcc1af6ee5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • \Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • \Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • \Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • \Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • memory/540-72-0x0000000000401748-mapping.dmp
    Download
  • memory/540-65-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/540-71-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/540-66-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/540-68-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/540-90-0x0000000000401000-0x000000000040B000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1344-108-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1344-87-0x0000000000000000-mapping.dmp
    Download
  • memory/1344-96-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1516-93-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1516-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-107-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1660-100-0x0000000000401748-mapping.dmp
    Download
  • memory/1692-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1692-106-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1692-63-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-55-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-62-0x0000000074180000-0x000000007472B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
    Filesize

    8KB

    Download