Overview

overview

10

Static

static

f875336962...7e.exe

windows7-x64

10

f875336962...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2023 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe

  • Size

    149KB

  • MD5

    0fac315ec4746ef1c689913d24313442

  • SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

  • SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

  • SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

  • SSDEEP

    3072:pdHHCd42U7jKXznulGJ5gywZCHjWV/2IBh5wtOZ7Q:pxHN7juznxvgyiEjWVeIBh5IOW

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe
    "C:\Users\Admin\AppData\Local\Temp\f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2976
      • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
        "C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
          "C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Suspicious use of SetWindowsHookEx
            PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    102B

    MD5

    355393ee7ce338212c791d6f2a1ca0e3

    SHA1

    8a383112fc6d881ecfa2d0d5dfdcea437d55fd4b

    SHA256

    a0e1021bf918b0eb199a6efa61179b7a7b4504a42b40e8606b8f10fae9c2913a

    SHA512

    163a9159c13bad41b3781e28c828f803d7ed2a0a6ebe765483b5278b445ae2881b813fd9bf7c9f83be89f4faef6efbae84922208cf8baaca878df3dcc1af6ee5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe
    Filesize

    52KB

    MD5

    6b7c453e06409a09412d053a7bfc2bfc

    SHA1

    e85e053dfacfa64a9a9a64c517fd7bc2915c73c5

    SHA256

    fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0

    SHA512

    e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    149KB

    MD5

    0fac315ec4746ef1c689913d24313442

    SHA1

    e194946ac76e6b72d727a51bcbd842184c88fb3d

    SHA256

    f875336962e8a166ed871858b6f624961ff9b7f1317d5c6ad55bb2782c4c327e

    SHA512

    b9b77964d138812df7605362f0d06d5bf202a56ed9661de6178afb4dea15e2b31e096807d6387ead174d8143202aa31b3d24c3c36087989542fed0973b0f4b52

    Download Submit
  • memory/1792-161-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1792-150-0x0000000000000000-mapping.dmp
    Download
  • memory/1792-158-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2256-159-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2256-139-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2256-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2976-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2976-142-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2976-140-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4228-152-0x0000000000000000-mapping.dmp
    Download
  • memory/4704-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4704-148-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4704-160-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5056-132-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5056-136-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download