Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
-
Size
12.9MB
-
MD5
c07338aba36553458e7a69157218134d
-
SHA1
f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
-
SHA256
11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
-
SHA512
c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb
-
SSDEEP
98304:7VjnmHD7KjjqkusjmqMh5TYmnbOMt7ZUy6TX0mfse:1nEwjqkjiqM8Ct9Uy6TX0mke
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exepid Process 2416 sysx32.exe 2816 _2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exepid Process 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exesysx32.exedescription ioc Process File created C:\Windows\SysWOW64\sysx32.exe 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
sysx32.exedescription ioc Process File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exedescription pid Process procid_target PID 1728 wrote to memory of 2416 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 30 PID 1728 wrote to memory of 2416 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 30 PID 1728 wrote to memory of 2416 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 30 PID 1728 wrote to memory of 2416 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 30 PID 1728 wrote to memory of 2816 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 31 PID 1728 wrote to memory of 2816 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 31 PID 1728 wrote to memory of 2816 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 31 PID 1728 wrote to memory of 2816 1728 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.8MB
MD58c412d213f67d1ee30c0303458e07070
SHA14def0a8a5787a39686970d8426930918cef3d3b1
SHA256f1339d75c7e9f34d06310db6af7040b17a81848db301cd70c19e488909ff1a07
SHA51250030474035426b5ddccd924ca7ea71a13c4a6a55d5aef707eb51b7b884b2c38346fa89aa8d520f6dc365556bf6b1f4022277ec23b6dd6f0b101b2fab82a078a
-
Filesize
12.9MB
MD5c07338aba36553458e7a69157218134d
SHA1f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
SHA25611dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
SHA512c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb