Overview

overview

10

Static

static

3

1e95e087dd...37.exe

windows7-x64

10

1e95e087dd...37.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e95e087ddc336bc8cc038866c629537.exe

  • Size

    411KB

  • MD5

    1e95e087ddc336bc8cc038866c629537

  • SHA1

    68ff0f62b626aae7f11d5a1d7e2f7906cbe1a606

  • SHA256

    567b94bcdaea498b72ea3b4193d16a0eeb6807a02fefe59b9b87d0ae03d8dcd4

  • SHA512

    5e999094124243fccb6ed9f4eda9df203e527ca48c6d01126258b16c9f9b2546e6e4bb9a89db6b8e49cab71f3ec8625e42d2f3245603d0e3229df6b766ce0c15

  • SSDEEP

    12288:nPCNpaWbDrPHwfoXjRrPzD1lbMoKGRtq:Pd+8Uj5PnjbMoKD

Score
10/10
hawkeyekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e95e087ddc336bc8cc038866c629537.exe
    "C:\Users\Admin\AppData\Local\Temp\1e95e087ddc336bc8cc038866c629537.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\AppLaunch.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1276
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            5⤵
            • Delays execution with timeout.exe
            PID:2884
      • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
        "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
          "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:616
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\AppLaunch.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\SysWOW64\timeout.exe
                timeout 5
                7⤵
                • Delays execution with timeout.exe
                PID:1956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    70B

    MD5

    1fc3db44175a34e649103268bc279a52

    SHA1

    cfad785a1aec4a4030809c5b1aa929c4994c0d29

    SHA256

    57a89983a05c1a7feef6dc153b434c9c89d5b4786cfae1abcb2aa37853394791

    SHA512

    54fc78c2bc3f9247b8d7be3ce9f49cc839e000ed79101faae0fcc769d35b98bc8aa927a161f26ab664c3237e7b3eb254f4d2e42b0afd429bb061d61aac5ef9a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
    Filesize

    39KB

    MD5

    38abcaec6ee62213f90b1717d830a1bb

    SHA1

    d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

    SHA256

    6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

    SHA512

    77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

    Download Submit

  • C:\Users\Admin\AppData\Roaming\chrtmp
    Filesize

    92KB

    MD5

    bae565bc385845e730347df331491051

    SHA1

    5da4a3def18f75d007cee6ee334f8e36b0c377bc

    SHA256

    c6aeae82d3a49e6ce016e1f02fa93c918d50934f93847ae371816e5fdeb79dd5

    SHA512

    6e9120dca1ec8acadbccff6c99bf81ccb6e91b53019be1b5bda35fa5a5be8e18fd001fcda8f01096123d3aae1e71e0262910dad846f756c513493c92387232a2

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    411KB

    MD5

    1e95e087ddc336bc8cc038866c629537

    SHA1

    68ff0f62b626aae7f11d5a1d7e2f7906cbe1a606

    SHA256

    567b94bcdaea498b72ea3b4193d16a0eeb6807a02fefe59b9b87d0ae03d8dcd4

    SHA512

    5e999094124243fccb6ed9f4eda9df203e527ca48c6d01126258b16c9f9b2546e6e4bb9a89db6b8e49cab71f3ec8625e42d2f3245603d0e3229df6b766ce0c15

    Download Submit

  • memory/1960-82-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-81-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-63-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-60-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-57-0x0000000002010000-0x0000000002050000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2220-15-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2220-2-0x0000000002180000-0x00000000021C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2220-0-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2220-1-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2564-22-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-27-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-32-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-34-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-36-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-29-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-23-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-25-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2564-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2620-47-0x0000000000070000-0x00000000000B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2620-46-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2620-79-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2620-80-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-24-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-77-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-78-0x0000000000AE0000-0x0000000000B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3024-14-0x0000000074690000-0x0000000074C3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3024-16-0x0000000000AE0000-0x0000000000B20000-memory.dmp

    Filesize

    256KB

    Download