Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe
Resource
win7-20241010-en
General
-
Target
2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe
-
Size
516KB
-
MD5
b5b677b41d7ddfddcd271967ef8c0f1f
-
SHA1
fbe03b7c0888daf27656250ce2428fdd5696ea34
-
SHA256
72bc363fafe846daa5eeb29fc6d0966ca2934812c77fecc1ec911b8f7fcb87a4
-
SHA512
f90e30d8d00501f2d4fa1672ae4d59d5dd8b4ae016e8adab0eee33a30e1da52e9e3d78c766c5eff52f634407b8a5251cb6285f2ee306fb656e37d09ea2e58162
-
SSDEEP
6144:QoyZmTAsfJFakxaLjcMkc0Cax1PzGp6bYA0w601+dNT9/0626ASkVOAF+UzGD+IY:QoyIJsMPrPip6bYboEdN8zHZ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
resource yara_rule behavioral1/memory/2880-24-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-1-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-6-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-9-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-4-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-7-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-10-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-8-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-3-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-11-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-31-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-32-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx behavioral1/memory/2880-36-0x0000000001EF0000-0x0000000002FAA000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f77581f 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe File opened for modification C:\Windows\SYSTEM.INI 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe Token: SeDebugPrivilege 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1108 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 19 PID 2880 wrote to memory of 1160 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 20 PID 2880 wrote to memory of 1188 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 21 PID 2880 wrote to memory of 1580 2880 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_b5b677b41d7ddfddcd271967ef8c0f1f_bkransomware_hawkeye.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5