Analysis
-
max time kernel
114s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
01-03-2020 23:51
Static task
static1
Behavioral task
behavioral1
Sample
INV1.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV1.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
INV1.exe
-
Size
2.4MB
-
MD5
0d4d52901a4cb69ba79e116f0db9de72
-
SHA1
47c90b1490f7b3523490794951f3fa79a4114c91
-
SHA256
dec757dc1c2b7722acf90fb43dac3e8e7052fa4c4a3c7c53126d93af5013ab2c
-
SHA512
9947dcd78c31ef1bfa0cdcf821179426b461d0706b967a50a43bb19e13cd73ccaccb7f6a041a9ce00585a9371984ed7ed0409dfae0041f5d875698210a930f76
Score
10/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
INV1.exepid process 3732 INV1.exe 3732 INV1.exe 3732 INV1.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
INV1.exepid process 3732 INV1.exe 3732 INV1.exe 3732 INV1.exe -
Drops startup file 1 IoCs
Processes:
INV1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppVFileSystemMetadata.url INV1.exe -
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3140 RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3336 timeout.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
INV1.execmd.exeRegAsm.exedescription pid process target process PID 3732 wrote to memory of 3140 3732 INV1.exe RegAsm.exe PID 3732 wrote to memory of 3140 3732 INV1.exe RegAsm.exe PID 3732 wrote to memory of 3140 3732 INV1.exe RegAsm.exe PID 3732 wrote to memory of 3140 3732 INV1.exe RegAsm.exe PID 3732 wrote to memory of 3184 3732 INV1.exe cmd.exe PID 3732 wrote to memory of 3184 3732 INV1.exe cmd.exe PID 3732 wrote to memory of 3184 3732 INV1.exe cmd.exe PID 3184 wrote to memory of 3336 3184 cmd.exe timeout.exe PID 3184 wrote to memory of 3336 3184 cmd.exe timeout.exe PID 3184 wrote to memory of 3336 3184 cmd.exe timeout.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 3864 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe PID 3140 wrote to memory of 760 3140 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INV1.exepid process 3732 INV1.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INV1.exeRegAsm.exedescription pid process target process PID 3732 set thread context of 3140 3732 INV1.exe RegAsm.exe PID 3140 set thread context of 3864 3140 RegAsm.exe vbc.exe PID 3140 set thread context of 760 3140 RegAsm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vbc.exeRegAsm.exepid process 3864 vbc.exe 3864 vbc.exe 3864 vbc.exe 3864 vbc.exe 3140 RegAsm.exe 3140 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3140 RegAsm.exe -
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV1.exe"C:\Users\Admin\AppData\Local\Temp\INV1.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3140 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3A25.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp466B.tmp"3⤵PID:760
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\INV1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\timeout.exeTimeOut 13⤵
- Delays execution with timeout.exe
PID:3336