Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v191014 -
submitted
11-02-2020 15:34
Static task
static1
Behavioral task
behavioral1
Sample
5e9f9c567f2286a5011027090b1462d5.exe
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5e9f9c567f2286a5011027090b1462d5.exe
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
5e9f9c567f2286a5011027090b1462d5.exe
-
Size
2.0MB
-
MD5
5e9f9c567f2286a5011027090b1462d5
-
SHA1
82ea25e7ed15171ebeaf604393a3c08097ca6ed4
-
SHA256
aa01798101f8b75f82ecd6dbd29d0f0e7eac854a723d3cd2c5c571262b1930ac
-
SHA512
35528136ca68b2059c459f0de596fad2d553b1a7011000a82a6b51409812dd72e357c5c8ec8ee6ffb6f64c87a5ee34ec8d4448eea260721f109390bc54636f65
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exeRegAsm.exedescription pid process target process PID 1304 set thread context of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 2036 set thread context of 1988 2036 RegAsm.exe vbc.exe PID 2036 set thread context of 1928 2036 RegAsm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 20006 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe 1304 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exeRegAsm.exedescription pid process target process PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 1304 wrote to memory of 2036 1304 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1988 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe PID 2036 wrote to memory of 1928 2036 RegAsm.exe vbc.exe -
Drops startup file 1 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtlUpd64.url 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 1304 5e9f9c567f2286a5011027090b1462d5.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e9f9c567f2286a5011027090b1462d5.exe"C:\Users\Admin\AppData\Local\Temp\5e9f9c567f2286a5011027090b1462d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: MapViewOfSection
PID:1304 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE139.tmp"3⤵PID:1988
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD336.tmp"3⤵PID:1928