Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
11-02-2020 15:34
Static task
static1
Behavioral task
behavioral1
Sample
5e9f9c567f2286a5011027090b1462d5.exe
Resource
win7v191014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5e9f9c567f2286a5011027090b1462d5.exe
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
5e9f9c567f2286a5011027090b1462d5.exe
-
Size
2.0MB
-
MD5
5e9f9c567f2286a5011027090b1462d5
-
SHA1
82ea25e7ed15171ebeaf604393a3c08097ca6ed4
-
SHA256
aa01798101f8b75f82ecd6dbd29d0f0e7eac854a723d3cd2c5c571262b1930ac
-
SHA512
35528136ca68b2059c459f0de596fad2d553b1a7011000a82a6b51409812dd72e357c5c8ec8ee6ffb6f64c87a5ee34ec8d4448eea260721f109390bc54636f65
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exeRegAsm.exedescription pid process target process PID 4928 wrote to memory of 4504 4928 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 4928 wrote to memory of 4504 4928 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 4928 wrote to memory of 4504 4928 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 4928 wrote to memory of 4504 4928 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 4312 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe PID 4504 wrote to memory of 820 4504 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 4928 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exeRegAsm.exedescription pid process target process PID 4928 set thread context of 4504 4928 5e9f9c567f2286a5011027090b1462d5.exe RegAsm.exe PID 4504 set thread context of 4312 4504 RegAsm.exe vbc.exe PID 4504 set thread context of 820 4504 RegAsm.exe vbc.exe -
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe -
Suspicious behavior: EnumeratesProcesses 14004 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exepid process 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe 4928 5e9f9c567f2286a5011027090b1462d5.exe -
Drops startup file 1 IoCs
Processes:
5e9f9c567f2286a5011027090b1462d5.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtlUpd64.url 5e9f9c567f2286a5011027090b1462d5.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e9f9c567f2286a5011027090b1462d5.exe"C:\Users\Admin\AppData\Local\Temp\5e9f9c567f2286a5011027090b1462d5.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBE2.tmp"3⤵PID:4312
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFE61.tmp"3⤵PID:820