Overview

overview

10

Static

static

3

f75b89f640...aN.exe

windows7-x64

10

f75b89f640...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f75b89f64035020942c29ae2ff37d0f5789fa73310632e5ad951686cc9cd489aN.exe

  • Size

    23KB

  • MD5

    3d25d84500c967ecef3a0026dbfed410

  • SHA1

    3515bef2e70722e9718edb51b4e1e9a2f80a1f0a

  • SHA256

    f75b89f64035020942c29ae2ff37d0f5789fa73310632e5ad951686cc9cd489a

  • SHA512

    349c3561f4e6961bbbd88c17f961ee6fcd34117b8a5664a173f8ebef0546d0b5cc05d113102730ef82907cc66b803849bf6dfd68692fc37d16a0575e4ac17d99

  • SSDEEP

    384:o3Eh9xqX7jumTaNb6SxZLIXYQPhMVDrgHa/Dw1I0Q1abpyq5abpy6J6:7hjgumONblmOKwk1IXatyq5aty6J6

Score
10/10
hawkeyediscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Drops file in Drivers directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f75b89f64035020942c29ae2ff37d0f5789fa73310632e5ad951686cc9cd489aN.exe
    "C:\Users\Admin\AppData\Local\Temp\f75b89f64035020942c29ae2ff37d0f5789fa73310632e5ad951686cc9cd489aN.exe"
    1⤵
    • Drops file in Drivers directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -executionpolicy bypass -command .\racoon.ps1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "whoami.exe && systeminfo.exe && ipconfig.exe && netstat.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\whoami.exe
          whoami.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:2848
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:528
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\racoon.ps1
    Filesize

    2KB

    MD5

    500d58ef9f6a679f856d0f756380d7d5

    SHA1

    5b51e885134ca5dbf78bdd3a81762196d504ae1a

    SHA256

    15482161e2cd82078399b115a541aec70c2c269089f9ab2761a1a6197d08f2b3

    SHA512

    8a4d73bd4d20f9fdb5389de777fe6d45d22f466ed4e635a6853cda0e507e6b07afd697c25d7f6960eb63bf880f2be301a7e1818d850bbf22889d6734e61219e7

    Download Submit

  • memory/1132-8-0x0000000071321000-0x0000000071322000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1132-11-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1132-10-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1132-9-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1132-12-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1132-15-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1132-26-0x0000000071320000-0x00000000718CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2828-0-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2828-1-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2828-14-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

    Download