Overview

overview

10

Static

static

INV1.exe

windows7_x64

10

INV1.exe

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    01-03-2020 23:51

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV1.exe

  • Size

    2.4MB

  • MD5

    0d4d52901a4cb69ba79e116f0db9de72

  • SHA1

    47c90b1490f7b3523490794951f3fa79a4114c91

  • SHA256

    dec757dc1c2b7722acf90fb43dac3e8e7052fa4c4a3c7c53126d93af5013ab2c

  • SHA512

    9947dcd78c31ef1bfa0cdcf821179426b461d0706b967a50a43bb19e13cd73ccaccb7f6a041a9ce00585a9371984ed7ed0409dfae0041f5d875698210a930f76

Score
10/10
keyloggertrojanstealerspywarehawkeye_reborn

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Drops startup file 1 IoCs
  • Reads browser user data or profiles (possible credential harvesting) 2 TTPs
    spyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • HawkEye Reborn

    HawkEye Reborn is an enchanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INV1.exe
    "C:\Users\Admin\AppData\Local\Temp\INV1.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:3732
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3140
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3A25.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3864
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp466B.tmp"
        3⤵
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\INV1.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\SysWOW64\timeout.exe
          TimeOut 1
          3⤵
          • Delays execution with timeout.exe
          PID:3336

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3A25.tmp
      Download Submit

    • memory/760-4-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/760-5-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3140-0-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/3864-1-0x0000000000400000-0x000000000045C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/3864-2-0x0000000000400000-0x000000000045C000-memory.dmp

      Filesize

      368KB

      Download