Overview

overview

10

Static

static

3

31c0d45df9...7e.exe

windows7-x64

10

31c0d45df9...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31c0d45df9c966ad7e11ab233078607e.exe

  • Size

    233KB

  • MD5

    31c0d45df9c966ad7e11ab233078607e

  • SHA1

    ead2ce24fbf87bebad55500604557bf9ac4d2ddf

  • SHA256

    22a7ae8d819204ec2cd27a5e53f5e267c7829776eb3064b95bc6f253e72a1157

  • SHA512

    bd99241deae5815117fd8725b105006238a6980d65a3f1115d1d107ff66fa5abf6ef122db3fc65910e47087b4b0c21b51fc9bcf35c5a8de12fbc1cfb3b0f0df8

  • SSDEEP

    6144:OTu5OUFQPwNcHEOHA6ekznVuf5e9LoZgYuyY:EuzmO2hA6pncOoZgv

Score
10/10
hawkeyeevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31c0d45df9c966ad7e11ab233078607e.exe
    "C:\Users\Admin\AppData\Local\Temp\31c0d45df9c966ad7e11ab233078607e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
        "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2912
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2816
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\U5P8P5076W.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\U5P8P5076W.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:2204
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:1920
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:1764
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:2200
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\U5P8P5076W.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\U5P8P5076W.exe:*:Enabled:Windows Messanger" /f
    1⤵
      PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      1⤵
        PID:2584
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        1⤵
          PID:1540
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2016
        • C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
          "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
          Filesize

          70B

          MD5

          f7c87177fd26e524de29ee6aa72f92a7

          SHA1

          f936c5f8d1d2e2f0f59f411301e35f0784dd5852

          SHA256

          9c55f38111df3ca9fadf85e21cbf9161cf34042275ed0957beb1fcdbf1a589e6

          SHA512

          6b4501bce19472bfa71abed7a0f0fad7d1107ee08bf523a54cc27bc95357c8f101394f76206ba983af8fbb11b2cbc778d82fe299b6e462f46ff57be15f6b3aaa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          Filesize

          233KB

          MD5

          31c0d45df9c966ad7e11ab233078607e

          SHA1

          ead2ce24fbf87bebad55500604557bf9ac4d2ddf

          SHA256

          22a7ae8d819204ec2cd27a5e53f5e267c7829776eb3064b95bc6f253e72a1157

          SHA512

          bd99241deae5815117fd8725b105006238a6980d65a3f1115d1d107ff66fa5abf6ef122db3fc65910e47087b4b0c21b51fc9bcf35c5a8de12fbc1cfb3b0f0df8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          Filesize

          92KB

          MD5

          996a4cf7951feb7de3a45c83df10b965

          SHA1

          10c2a4735fea659b85b627ab89f1b7210b9a31b5

          SHA256

          b5a2503ccccdf7e9e5f231f54a904f1e59ca97bf88277ad3ad42079562d4f53b

          SHA512

          c70247e75cc27c4e75c295b719ed206d57602d38f1680c95a141290f50aeeec25c08270dd1fe8f51db5583fd525fc235b2358d4b3562e438b0fdcaac4900a868

          Download Submit

        • memory/1204-17-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1204-16-0x0000000000A90000-0x0000000000AD0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1204-15-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1204-86-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2016-80-0x00000000008A0000-0x00000000008FF000-memory.dmp

          Filesize

          380KB

          Download

        • memory/2016-82-0x0000000000280000-0x0000000000293000-memory.dmp

          Filesize

          76KB

          Download

        • memory/2016-84-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2620-58-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2620-89-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2620-90-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2620-60-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2816-29-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-26-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-76-0x0000000002480000-0x00000000024BC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2816-23-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-33-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-31-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-55-0x00000000007A0000-0x00000000007B3000-memory.dmp

          Filesize

          76KB

          Download

        • memory/2816-25-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-38-0x0000000002400000-0x000000000245F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/2816-35-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-34-0x0000000000400000-0x0000000000473000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2816-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2912-54-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2912-48-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2912-49-0x0000000002020000-0x0000000002060000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2912-87-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2912-88-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3036-1-0x0000000000130000-0x0000000000170000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3036-85-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3036-14-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3036-0-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3036-2-0x0000000074C90000-0x000000007523B000-memory.dmp

          Filesize

          5.7MB

          Download