Analysis
-
max time kernel
152s -
max time network
105s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
02-03-2020 12:22
Static task
static1
Behavioral task
behavioral1
Sample
malware.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
malware.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
malware.exe
-
Size
743KB
-
MD5
d0b3518e06e76afbf847b77eb0394aee
-
SHA1
56d0931f5ca3dfb0f3848a512297adbf7d758a87
-
SHA256
a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24
-
SHA512
0654014c576f29947c6773be6b0c359a1487d6ad7a9eab0cea3cc9df49d1fda1715d143d937347839aec815220783206af175ee1385c9838046798241f1c8bfd
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Uopcep.exeregasm.exedescription pid process target process PID 316 set thread context of 1576 316 Uopcep.exe regasm.exe PID 316 set thread context of 1052 316 Uopcep.exe regasm.exe PID 1052 set thread context of 2004 1052 regasm.exe vbc.exe PID 1052 set thread context of 1596 1052 regasm.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
malware.exepid process 1868 malware.exe -
Executes dropped EXE 1 IoCs
Processes:
Uopcep.exepid process 316 Uopcep.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Uopcep.exeregasm.exeregasm.exedescription pid process Token: SeDebugPrivilege 316 Uopcep.exe Token: SeDebugPrivilege 1576 regasm.exe Token: SeDebugPrivilege 1052 regasm.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Uopcep.exeregasm.exevbc.exepid process 316 Uopcep.exe 316 Uopcep.exe 316 Uopcep.exe 316 Uopcep.exe 1576 regasm.exe 1576 regasm.exe 316 Uopcep.exe 2004 vbc.exe 2004 vbc.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Uopcep.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kherg = "C:\\Users\\Admin\\AppData\\Roaming\\Awwovi\\kherg.url" Uopcep.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Processes:
regasm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 regasm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 regasm.exe -
Reads browser user data or profiles (possible credential harvesting) 2 TTPs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
malware.exeUopcep.exepid process 1868 malware.exe 1868 malware.exe 316 Uopcep.exe 316 Uopcep.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
malware.exeUopcep.exeregasm.exedescription pid process target process PID 1868 wrote to memory of 316 1868 malware.exe Uopcep.exe PID 1868 wrote to memory of 316 1868 malware.exe Uopcep.exe PID 1868 wrote to memory of 316 1868 malware.exe Uopcep.exe PID 1868 wrote to memory of 316 1868 malware.exe Uopcep.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1576 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1632 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 316 wrote to memory of 1052 316 Uopcep.exe regasm.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 2004 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe PID 1052 wrote to memory of 1596 1052 regasm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware.exe"C:\Users\Admin\AppData\Local\Temp\malware.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe"C:\Users\Admin\AppData\Roaming\Awwovi\Uopcep.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:1632
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB579.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA7A4.tmp"4⤵PID:1596