Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
-
Size
12.9MB
-
MD5
c07338aba36553458e7a69157218134d
-
SHA1
f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
-
SHA256
11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
-
SHA512
c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb
-
SSDEEP
98304:7VjnmHD7KjjqkusjmqMh5TYmnbOMt7ZUy6TX0mfse:1nEwjqkjiqM8Ct9Uy6TX0mke
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
sysx32.exe_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exepid Process 4868 sysx32.exe 2744 _2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sysx32.exedescription ioc Process File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\Z: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\G: sysx32.exe -
Drops file in System32 directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\pcaui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\dllhst3g.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\setx.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\ddodiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\doskey.exe sysx32.exe File created C:\Windows\SysWOW64\hdwwiz.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\waitfor.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\choice.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\SndVol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe sysx32.exe File created C:\Windows\SysWOW64\tracerpt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE sysx32.exe File created C:\Windows\SysWOW64\auditpol.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\runas.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cttune.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\at.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\choice.exe sysx32.exe File created C:\Windows\SysWOW64\gpupdate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\newdev.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe sysx32.exe File created C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\ROUTE.EXE sysx32.exe File created C:\Windows\SysWOW64\Utilman.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wscadminui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\chkntfs.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\timeout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\Magnify.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe sysx32.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cacls.exe sysx32.exe File created C:\Windows\SysWOW64\curl.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE sysx32.exe File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\MRINFO.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\stordiag.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE sysx32.exe File created C:\Windows\SysWOW64\cmdl32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\help.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.tmp sysx32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE sysx32.exe File created C:\Program Files\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
Processes:
sysx32.exedescription ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.746_none_86e29cecb9edce01\alg.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\r\wmplayer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\f\sdclt.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\r\SecHealthUI.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\f\usocoreworker.exe sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\r\vmcompute.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.423_none_d8a242bf396f7d4d\r\SpaceAgent.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_18784aba5fcd68cc\TokenBrokerCookies.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.964_none_dddeea757b7fbba7\sftp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashPlayerApp.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\r\wscript.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\f\WWAHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\f\AppVClient.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\f\SndVol.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\DataExchangeHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\MdmDiagnosticsTool.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_b42ad8618bda36bd\TpmTool.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\r\MusNotifyIcon.exe.tmp sysx32.exe File created C:\Windows\winhlp32.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_c991318e4b11e4cf\RMActivate_ssp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\r\vds.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-edge-microsoftedgecp_31bf3856ad364e35_10.0.19041.1_none_77274ce3b079d8f5\MicrosoftEdgeCP.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\f\FilePicker.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_4ae21b160a9d5bb2\r\CameraSettingsUIHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.19041.1_none_1b575ad951209106\rdrleakdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_c05346ae3e1a99a4\r\rundll32.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.264_none_309e9e4a939c0bac\cscript.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\hcsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-vbc_exe_b03f5f7f11d50a3a_4.0.15805.0_none_de9b06e519e58d0f\vbc.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.1_none_1e01a107b6c5cadf\certreq.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-machine_31bf3856ad364e35_10.0.19041.1_none_c36f57b8a28f2fbc\msoobe.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_64d83b9e511c141f\SecEdit.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_816403dd2374fa29\dfrgui.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_10.0.19041.1_none_19c9b562d4b65581\IMTCPROP.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.928_none_138fb436497565f4\directxdatabaseupdater.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.1_none_f58a3da76ed0f251\dsdbutil.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\f\wmplayer.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.19041.1_none_fce141858c5d7f03\IMEWDBLD.EXE.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_10.0.19041.1_none_0ee51e56d7e170fb\xwizard.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\r\appcmd.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.662_none_0070027dab4e4ffe\f\UtcDecoderHost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_43c494653a7536d0\r\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_22d9ddcd4b2b9d68\CameraSettingsUIHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde\f\fontdrvhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.84_none_bf1eecf3f472e3ce\Defrag.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\r\usocoreworker.exe sysx32.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f_sppsvc.exe_fc6922a9 sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_10.0.19041.1_none_19c9b562d4b65581\IMTCLNWZ.EXE.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\r\FXSSVC.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\f\FileExplorer.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.746_none_fb3ba1752084c5cf\rrinstaller.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\wbadmin.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exesysx32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exedescription pid Process procid_target PID 3964 wrote to memory of 4868 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 83 PID 3964 wrote to memory of 4868 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 83 PID 3964 wrote to memory of 4868 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 83 PID 3964 wrote to memory of 2744 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 85 PID 3964 wrote to memory of 2744 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 85 PID 3964 wrote to memory of 2744 3964 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.9MB
MD5b24e60196821ca7cf2b1d45a748b2325
SHA15e71e4b7589c372cf61df1841a897f65c987939f
SHA2567f92c987728348b666deee703b6e0ca44186263df4ee521f7a20b41e01dba91e
SHA5128bfc5e4e675bc6dca687cd53cceb702d7af55b4cb3110904766c2badd6e30bb2e4505f407cdde10816b9e332c6b08ff0ff69f276a2de8244a77d9d6810cf8e1b
-
Filesize
12.8MB
MD58c412d213f67d1ee30c0303458e07070
SHA14def0a8a5787a39686970d8426930918cef3d3b1
SHA256f1339d75c7e9f34d06310db6af7040b17a81848db301cd70c19e488909ff1a07
SHA51250030474035426b5ddccd924ca7ea71a13c4a6a55d5aef707eb51b7b884b2c38346fa89aa8d520f6dc365556bf6b1f4022277ec23b6dd6f0b101b2fab82a078a
-
Filesize
12.9MB
MD5c07338aba36553458e7a69157218134d
SHA1f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
SHA25611dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
SHA512c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb