Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
27-02-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
H.bin.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
H.bin.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
H.bin.exe
-
Size
881KB
-
MD5
3fe7d81139bd40361330a07f47bb99e1
-
SHA1
391bc516fe8e1feae96fb3c7c31bcccec4fa20e6
-
SHA256
4945a1a4f65271de23a99eaad0b4a08b472b2dcb60a60a5b06f26afad49da181
-
SHA512
f22e4e2fa6be336cd26fb46f9b7d9cc656670f6c8abf5283e1cd35e718a95a53145937adc70036fc7cf850234c9090b05a190bafd9ae2ad20d9bf8441103f63e
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
H.bin.exeH.bin.exedescription pid process target process PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1844 wrote to memory of 1880 1844 H.bin.exe H.bin.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 2012 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe PID 1880 wrote to memory of 1384 1880 H.bin.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
H.bin.exeH.bin.exedescription pid process target process PID 1844 set thread context of 1880 1844 H.bin.exe H.bin.exe PID 1880 set thread context of 2012 1880 H.bin.exe vbc.exe PID 1880 set thread context of 1384 1880 H.bin.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2012 vbc.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\H.bin.exe"C:\Users\Admin\AppData\Local\Temp\H.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\H.bin.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE4B3.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD807.tmp"3⤵PID:1384