Analysis
-
max time kernel
151s -
max time network
115s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
01-03-2020 23:51
Static task
static1
Behavioral task
behavioral1
Sample
INV1.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV1.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
INV1.exe
-
Size
2.4MB
-
MD5
0d4d52901a4cb69ba79e116f0db9de72
-
SHA1
47c90b1490f7b3523490794951f3fa79a4114c91
-
SHA256
dec757dc1c2b7722acf90fb43dac3e8e7052fa4c4a3c7c53126d93af5013ab2c
-
SHA512
9947dcd78c31ef1bfa0cdcf821179426b461d0706b967a50a43bb19e13cd73ccaccb7f6a041a9ce00585a9371984ed7ed0409dfae0041f5d875698210a930f76
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
INV1.exeRegAsm.exedescription pid process target process PID 1844 set thread context of 1864 1844 INV1.exe RegAsm.exe PID 1864 set thread context of 1280 1864 RegAsm.exe vbc.exe PID 1864 set thread context of 1036 1864 RegAsm.exe vbc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1896 cmd.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1920 timeout.exe -
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
INV1.exepid process 1844 INV1.exe 1844 INV1.exe 1844 INV1.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
INV1.exepid process 1844 INV1.exe 1844 INV1.exe 1844 INV1.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
INV1.execmd.exeRegAsm.exedescription pid process target process PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1864 1844 INV1.exe RegAsm.exe PID 1844 wrote to memory of 1896 1844 INV1.exe cmd.exe PID 1844 wrote to memory of 1896 1844 INV1.exe cmd.exe PID 1844 wrote to memory of 1896 1844 INV1.exe cmd.exe PID 1844 wrote to memory of 1896 1844 INV1.exe cmd.exe PID 1896 wrote to memory of 1920 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 1920 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 1920 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 1920 1896 cmd.exe timeout.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1280 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe PID 1864 wrote to memory of 1036 1864 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INV1.exepid process 1844 INV1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 1280 vbc.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops startup file 1 IoCs
Processes:
INV1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppVFileSystemMetadata.url INV1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV1.exe"C:\Users\Admin\AppData\Local\Temp\INV1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Drops startup file
PID:1844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2F68.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2175.tmp"3⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\INV1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\timeout.exeTimeOut 13⤵
- Delays execution with timeout.exe
PID:1920