hawkeye | 805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b

General

Target

d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Size

478KB
MD5

d6f9fd8a8720a51076be8f7b25278d4b
SHA1

1ca7cce3fad42b219702975306f3d8e6d62cf6e6
SHA256

805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b
SHA512

0c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa
SSDEEP

12288:e9jBgFYsPt4Hp9ujwkSBv7Gz5dbMi8nPgOz6JQrrWM7vFnifpGZ1X3WAr+ybzxw4:erg7t4Hp9ujwkSBv7Gz5dbMi8nPgOz6Q

Score

10^/10

hawkeye discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exesvchost.exeaudiodgi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4008 svchost.exe
Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

pid process

4008 svchost.exe
4088 svchost.exe
2936 audiodgi.exe
4224 wmpmetwk.exe
2712 wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exewmpmetwk.exe

description	pid	process	target process
PID 4008 set thread context of 4088	4008	svchost.exe	svchost.exe
PID 4224 set thread context of 2712	4224	wmpmetwk.exe	wmpmetwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exereg.execmd.exereg.exewmpmetwk.exed6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exesvchost.exesvchost.exereg.exeaudiodgi.execmd.exereg.exewmpmetwk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2036 reg.exe
3776 reg.exe
1264 reg.exe
1208 reg.exe

pid	process
2036	reg.exe
3776	reg.exe
1264	reg.exe
1208	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeaudiodgi.exewmpmetwk.exe

pid	process
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe
2936	audiodgi.exe
4224	wmpmetwk.exe
4008	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exesvchost.exesvchost.exeaudiodgi.exewmpmetwk.exe

description	pid	process
Token: SeDebugPrivilege	4888	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Token: SeDebugPrivilege	4008	svchost.exe
Token: 1	4088	svchost.exe
Token: SeCreateTokenPrivilege	4088	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4088	svchost.exe
Token: SeLockMemoryPrivilege	4088	svchost.exe
Token: SeIncreaseQuotaPrivilege	4088	svchost.exe
Token: SeMachineAccountPrivilege	4088	svchost.exe
Token: SeTcbPrivilege	4088	svchost.exe
Token: SeSecurityPrivilege	4088	svchost.exe
Token: SeTakeOwnershipPrivilege	4088	svchost.exe
Token: SeLoadDriverPrivilege	4088	svchost.exe
Token: SeSystemProfilePrivilege	4088	svchost.exe
Token: SeSystemtimePrivilege	4088	svchost.exe
Token: SeProfSingleProcessPrivilege	4088	svchost.exe
Token: SeIncBasePriorityPrivilege	4088	svchost.exe
Token: SeCreatePagefilePrivilege	4088	svchost.exe
Token: SeCreatePermanentPrivilege	4088	svchost.exe
Token: SeBackupPrivilege	4088	svchost.exe
Token: SeRestorePrivilege	4088	svchost.exe
Token: SeShutdownPrivilege	4088	svchost.exe
Token: SeDebugPrivilege	4088	svchost.exe
Token: SeAuditPrivilege	4088	svchost.exe
Token: SeSystemEnvironmentPrivilege	4088	svchost.exe
Token: SeChangeNotifyPrivilege	4088	svchost.exe
Token: SeRemoteShutdownPrivilege	4088	svchost.exe
Token: SeUndockPrivilege	4088	svchost.exe
Token: SeSyncAgentPrivilege	4088	svchost.exe
Token: SeEnableDelegationPrivilege	4088	svchost.exe
Token: SeManageVolumePrivilege	4088	svchost.exe
Token: SeImpersonatePrivilege	4088	svchost.exe
Token: SeCreateGlobalPrivilege	4088	svchost.exe
Token: 31	4088	svchost.exe
Token: 32	4088	svchost.exe
Token: 33	4088	svchost.exe
Token: 34	4088	svchost.exe
Token: 35	4088	svchost.exe
Token: SeDebugPrivilege	2936	audiodgi.exe
Token: SeDebugPrivilege	4224	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

svchost.exewmpmetwk.exe

pid process

4088 svchost.exe
4088 svchost.exe
4088 svchost.exe
2712 wmpmetwk.exe
2712 wmpmetwk.exe

pid	process
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
2712	wmpmetwk.exe
2712	wmpmetwk.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exesvchost.exesvchost.execmd.execmd.execmd.execmd.exeaudiodgi.exewmpmetwk.exe

description	pid	process	target process
PID 4888 wrote to memory of 4008	4888	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	svchost.exe
PID 4888 wrote to memory of 4008	4888	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	svchost.exe
PID 4888 wrote to memory of 4008	4888	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4008 wrote to memory of 4088	4008	svchost.exe	svchost.exe
PID 4088 wrote to memory of 4856	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4856	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4856	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 3784	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 3784	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 3784	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4700	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4700	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4700	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4912	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4912	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4912	4088	svchost.exe	cmd.exe
PID 4856 wrote to memory of 2036	4856	cmd.exe	reg.exe
PID 4856 wrote to memory of 2036	4856	cmd.exe	reg.exe
PID 4856 wrote to memory of 2036	4856	cmd.exe	reg.exe
PID 4700 wrote to memory of 1264	4700	cmd.exe	reg.exe
PID 4700 wrote to memory of 1264	4700	cmd.exe	reg.exe
PID 4700 wrote to memory of 1264	4700	cmd.exe	reg.exe
PID 3784 wrote to memory of 3776	3784	cmd.exe	reg.exe
PID 3784 wrote to memory of 3776	3784	cmd.exe	reg.exe
PID 3784 wrote to memory of 3776	3784	cmd.exe	reg.exe
PID 4912 wrote to memory of 1208	4912	cmd.exe	reg.exe
PID 4912 wrote to memory of 1208	4912	cmd.exe	reg.exe
PID 4912 wrote to memory of 1208	4912	cmd.exe	reg.exe
PID 4008 wrote to memory of 2936	4008	svchost.exe	audiodgi.exe
PID 4008 wrote to memory of 2936	4008	svchost.exe	audiodgi.exe
PID 4008 wrote to memory of 2936	4008	svchost.exe	audiodgi.exe
PID 2936 wrote to memory of 4224	2936	audiodgi.exe	wmpmetwk.exe
PID 2936 wrote to memory of 4224	2936	audiodgi.exe	wmpmetwk.exe
PID 2936 wrote to memory of 4224	2936	audiodgi.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe
PID 4224 wrote to memory of 2712	4224	wmpmetwk.exe	wmpmetwk.exe

C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1208
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
608ba18769d8c39ed93483afbe8d6779

SHA1
aabaea18ef0da2077f38d57f2c7ccbb31581e9b1

SHA256
390ccf980135935b1fd0ced301caa8468eb96f466f3570c615588e7e4fdbfd25

SHA512
aec4974218a32f93b45426a6fc704544fec22287e805756a83960577c42ff9e8faa0af3cb42a17a00bebca99e14b01925185c364cfdf46fb991d415dc8be4d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
10KB

MD5
83ce94edcf6b43e60e467a9f22705d3e

SHA1
0a3738cbee68a53e8d5e93f83d5b633f8ae95232

SHA256
558224443ed55cc3efc377ff06ba86ef2d4c910da4d3d47c590377c487c1d63f

SHA512
51675f7143d6666452dc231ffc03e0dab642f2c2c8a3d61dc567beec825ea52d45513243ea81d3873d44a66b8d7a1340f0b6e5ecac741c29d01813de8631d383

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
478KB

MD5
d6f9fd8a8720a51076be8f7b25278d4b

SHA1
1ca7cce3fad42b219702975306f3d8e6d62cf6e6

SHA256
805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b

SHA512
0c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa

Download Submit
memory/4008-21-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4008-17-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4008-42-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4088-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4088-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4888-0-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download
memory/4888-1-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4888-2-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/4888-20-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads