Malware Analysis Report

2024-09-22 11:23

Sample ID 231230-g11cqadcg8
Target 10da92002327ad6a43757698a6e56197
SHA256 20a7268f2f15cad9e938de16f11beabef087f42aa09ea94682dbde710ada5403
Tags
hawkeye keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20a7268f2f15cad9e938de16f11beabef087f42aa09ea94682dbde710ada5403

Threat Level: Known bad

The file 10da92002327ad6a43757698a6e56197 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger persistence spyware stealer trojan

HawkEye

Adds Run key to start application

Unsigned PE

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-30 06:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 06:17

Reported

2024-01-01 04:27

Platform

win7-20231215-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe

"C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 944

Network

Country Destination Domain Proto
US 8.8.8.8:53 automation.whatismyip.com udp
N/A 127.0.0.1:80 tcp

Files

memory/2164-0-0x0000000000B80000-0x0000000000C00000-memory.dmp

memory/2164-1-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

memory/2164-4-0x0000000000B00000-0x0000000000B80000-memory.dmp

memory/2164-5-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

memory/2196-6-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2164-7-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

memory/2164-8-0x0000000000B00000-0x0000000000B80000-memory.dmp

memory/2164-9-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

memory/2196-10-0x00000000005A0000-0x00000000005A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 06:17

Reported

2024-01-01 04:28

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe

"C:\Users\Admin\AppData\Local\Temp\10da92002327ad6a43757698a6e56197.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1552

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 automation.whatismyip.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4260-2-0x0000000000990000-0x00000000009A0000-memory.dmp

memory/4260-1-0x000000001B890000-0x000000001BD5E000-memory.dmp

memory/4260-4-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

memory/4260-5-0x000000001BEC0000-0x000000001BF40000-memory.dmp

memory/4260-6-0x000000001C750000-0x000000001C7EC000-memory.dmp

memory/4260-7-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

memory/4260-3-0x000000001BE10000-0x000000001BEB6000-memory.dmp

memory/4260-0-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp

memory/4260-16-0x00007FFEA6E50000-0x00007FFEA77F1000-memory.dmp