Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-10-2024 11:20
General
-
Target
ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe
-
Size
1.0MB
-
MD5
019a689dcc5128d85718bd043197b311
-
SHA1
dfed1ea66306d5f8e5e6ac4d6b91b06e4adfeb0b
-
SHA256
ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb
-
SHA512
6cd55fe3d4c830845317dc9d02783b5616f65f2e10864c52518d75af66f57b02f7d1975bc125cfe916168418a19337960eaa9485622ca8f70da5884b83b09d61
-
SSDEEP
24576:4WAq81e5JEJFQWvtYG7KddInBz87zqNI++9rY/2uOM/dnuVtfO:8bevEJOWvt37KddIn5872+9M/2JM/dnh
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
Promother2014
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe"C:\Users\Admin\AppData\Local\Temp\ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 24403⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5430b441662ed99584f62648022a20bed
SHA1d16c4994a2d5e0c5349ae1cbc741ee505dc59ec8
SHA256532662d3325a638b2a24f9e685b8787b2a528247bff4f6cbf5416a673dbd411b
SHA512a4a8ddb9c1a33268a649029f8b2254091825635e7d03ed4c70fdf48e28ee2bc5a17986fdd6530a86f6b5741f22d3c3b0a2a3efb5183b2253f7bef4cc7b0c3ce6
-
Filesize
1.0MB
MD5019a689dcc5128d85718bd043197b311
SHA1dfed1ea66306d5f8e5e6ac4d6b91b06e4adfeb0b
SHA256ef962b6dc96472a374447fc8c2e4409c44532d1a446646f3dcd262b95143d0cb
SHA5126cd55fe3d4c830845317dc9d02783b5616f65f2e10864c52518d75af66f57b02f7d1975bc125cfe916168418a19337960eaa9485622ca8f70da5884b83b09d61
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB