Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 09:32

General

  • Target

    2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

  • Size

    12.9MB

  • MD5

    c07338aba36553458e7a69157218134d

  • SHA1

    f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e

  • SHA256

    11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d

  • SHA512

    c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb

  • SSDEEP

    98304:7VjnmHD7KjjqkusjmqMh5TYmnbOMt7ZUy6TX0mfse:1nEwjqkjiqM8Ct9Uy6TX0mke

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2416
    • C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

    Filesize

    12.8MB

    MD5

    8c412d213f67d1ee30c0303458e07070

    SHA1

    4def0a8a5787a39686970d8426930918cef3d3b1

    SHA256

    f1339d75c7e9f34d06310db6af7040b17a81848db301cd70c19e488909ff1a07

    SHA512

    50030474035426b5ddccd924ca7ea71a13c4a6a55d5aef707eb51b7b884b2c38346fa89aa8d520f6dc365556bf6b1f4022277ec23b6dd6f0b101b2fab82a078a

  • \Windows\SysWOW64\sysx32.exe

    Filesize

    12.9MB

    MD5

    c07338aba36553458e7a69157218134d

    SHA1

    f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e

    SHA256

    11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d

    SHA512

    c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb

  • memory/1728-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1728-8-0x0000000000220000-0x0000000000231000-memory.dmp

    Filesize

    68KB

  • memory/1728-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2416-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB