Malware Analysis Report

2024-09-22 11:40

Sample ID 231225-fnt5habegn
Target 06914834645d9ab3058300de4c756954
SHA256 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
Tags
hawkeye keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

Threat Level: Known bad

The file 06914834645d9ab3058300de4c756954 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger persistence spyware stealer trojan

HawkEye

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-25 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 05:01

Reported

2023-12-25 15:05

Platform

win7-20231215-en

Max time kernel

153s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe" C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2220 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2220 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2220 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 2348 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

"C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freefoodnetwork.servegame.com udp

Files

memory/2220-0-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2220-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2220-2-0x0000000000950000-0x0000000000990000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 3f41264c4acf80c5c1a1b6a6fb62b3ef
SHA1 3afb0a9cee1a39418292a269eedd3542d068f3a3
SHA256 92950026a361fe1ea6c5295473c4c5e833a257df68ff538a6102d58ba23119d1
SHA512 4287c73f45ea514b06fcf7d9888fcd9a6ccfc2a8829466ae75191bde1cbf9ed37e8ad7c6493580527c92a0fbaf5e4f09ae2151c999544f8f22d7145a2ad5e0ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 06914834645d9ab3058300de4c756954
SHA1 437546390ab6be7ab887e82148ba8b923bedd844
SHA256 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512 08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 56b0bbf1fc0cad5a233c187f01fbff3c
SHA1 8e173dc24e8434092719d885fb843f24d9a90995
SHA256 ad238b5277ea2afded38326f793422528d1f1ec545c3132da09e25bbf9529beb
SHA512 0becc7c6053484a04acfaa230e2a3c2bf38c22b82f349ff2f4d4c321dd2f76a6e8b5ac7933797c2ceb696f90f3aacdad1afd7b175f4baeef97f18681a838e0b0

memory/2348-16-0x0000000001EC0000-0x0000000001F00000-memory.dmp

memory/2348-15-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2220-14-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2348-17-0x0000000074710000-0x0000000074CBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 673c630c339470fb63850411fc5af025
SHA1 938da03d56e1c206abc0fb7d729855a0a877a103
SHA256 64b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70
SHA512 8f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713

memory/2848-25-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-27-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-31-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-33-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2848-29-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-23-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-38-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-39-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-37-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-43-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-45-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-41-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2848-46-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\System\lsn.exe

MD5 0aa7e4dd12b1fc4d899bb86b0fd56233
SHA1 3bbd901ecc48959847deb145da3f3af6dc194afd
SHA256 d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9
SHA512 2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 f893c2f028fcf43648eb4ab2ceb7fa6d
SHA1 45330bc652686377beb835f7e226bf32cf975cc2
SHA256 03213002ae2e6bf56c6e3ef48ee4f3408cbe03ec085e61d9aefc13c8a24808c9
SHA512 77e0714112c676ba53228b114bed51aea75a5a4760ebb3afc5b340327d6e51254a4522251e7c231e0cb37b1269563b000accd8f67479a6420e9bf2f681e37a70

memory/3032-59-0x0000000074710000-0x0000000074CBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 203ae4f45f441a8cf32aa9eefc30ddb2
SHA1 937d41359962c0713b4ca32edd1663745920a9ee
SHA256 263529aa5a76e4639b97d89239d137be325266fc0b2af0af4ef84dde6d29f738
SHA512 a51b2284645303fe8857473b1c79628df7c001eb02e8bc0b5e8d1b9fb4ae4a43f0ce5fc325c3dceb769a696d8f61f0fb7ba40f353295dbafa361273edbccd90b

memory/1944-60-0x0000000074710000-0x0000000074CBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 8b0868b468388f351d5dd7bedda16e27
SHA1 cecbbd1eaf2af57a4b929d48f8eb8bc18971e4b1
SHA256 f77416f53850295b72f511c386b5c8691836e5ade378e425c33bf147ee499d78
SHA512 32a83ddb4cab5fdbc2b9fd5e2017607aee34711e7fadd93024ad19af092589ebb52cdbed074ace71e92d2599754fa18103be950228949832e4680fcf4acff525

memory/1944-62-0x0000000074710000-0x0000000074CBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 8f783b69cb94d3d4b7aafb8c528fdfa4
SHA1 2fce87e54d1c4b4d4d723ac042b758f1933b6ca0
SHA256 4d0bcd0aaeb7ac87395b45be79514b67ed217d1a3d2b670b44b0c0b88fe48303
SHA512 79443e8c68425a01c44f94d1cb65813566ea79a24534e307e87be19a1d943d38b1d53896b379e3cdcf06d5c9fddfb47dfbe9b5fb1fd995aed7cd2a65c11eb518

memory/3032-54-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/3032-53-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2916-84-0x0000000000401000-0x0000000000456000-memory.dmp

memory/2348-85-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2348-86-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/2848-87-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3032-88-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/3032-89-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1944-91-0x00000000004A0000-0x00000000004E0000-memory.dmp

memory/1944-92-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/3032-90-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/1944-93-0x0000000074710000-0x0000000074CBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 05:01

Reported

2023-12-25 15:06

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe" C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 448 set thread context of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2180 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2180 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 448 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 448 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 448 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

"C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
NL 20.31.169.57:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/2180-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/2180-2-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2180-0-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2180-13-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/448-16-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/448-15-0x00000000007D0000-0x00000000007E0000-memory.dmp

memory/448-14-0x0000000074670000-0x0000000074C21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 a776602c547de286306369097501bffa
SHA1 b20f91c6beea8d7be221d05f3f5aa5e068951e2d
SHA256 793fa9af44b51ff4a9cbfb90f612f04b0568ca940ef99b22ae50dd51412c24a2
SHA512 e311bc651de20a6b3179a32d8c699c520774a119d0a495b10a12b8866b9e6dbe74232fec327cdc5a32936a711a3c953ea8d4fa9f37620913072809cd3d492d46

memory/1352-23-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1352-24-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1352-25-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1352-22-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4536-38-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4536-37-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/2340-41-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2340-43-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4536-36-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/448-47-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/448-48-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4536-50-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/4536-49-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/4536-51-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2340-53-0x0000000001520000-0x0000000001530000-memory.dmp

memory/2340-52-0x0000000074670000-0x0000000074C21000-memory.dmp