Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
19-03-2020 13:09
Static task
static1
Behavioral task
behavioral1
Sample
260017# PURCHASE LIST pdf.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
260017# PURCHASE LIST pdf.exe
Resource
win10v200217
General
-
Target
260017# PURCHASE LIST pdf.exe
-
Size
1.1MB
-
MD5
2a01ff3fa54364cc15e6535be1e57cca
-
SHA1
8c1d0197d9fac0d7d580702860d35049424aa9af
-
SHA256
3dd0e88a93b6d4fa561f0ece77fee607262c53a5ecb7164b64c29505b88083a8
-
SHA512
3a2467296decf132a37fa164424acee57a3299e4d851829786359d0b2c9c41e62a5f136049b06ae2e51697f27561f7d24f86e4c5a12f024a7305d81089d9b041
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
260017# PURCHASE LIST pdf.exevbc.exepid process 3996 260017# PURCHASE LIST pdf.exe 3928 vbc.exe 3928 vbc.exe 3928 vbc.exe 3928 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
260017# PURCHASE LIST pdf.exe260017# PURCHASE LIST pdf.exedescription pid process target process PID 3996 wrote to memory of 3468 3996 260017# PURCHASE LIST pdf.exe schtasks.exe PID 3996 wrote to memory of 3468 3996 260017# PURCHASE LIST pdf.exe schtasks.exe PID 3996 wrote to memory of 3468 3996 260017# PURCHASE LIST pdf.exe schtasks.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 3996 wrote to memory of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 wrote to memory of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
260017# PURCHASE LIST pdf.exe260017# PURCHASE LIST pdf.exedescription pid process target process PID 3996 set thread context of 992 3996 260017# PURCHASE LIST pdf.exe 260017# PURCHASE LIST pdf.exe PID 992 set thread context of 3928 992 260017# PURCHASE LIST pdf.exe vbc.exe PID 992 set thread context of 1248 992 260017# PURCHASE LIST pdf.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
260017# PURCHASE LIST pdf.exedescription pid process Token: SeDebugPrivilege 3996 260017# PURCHASE LIST pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\260017# PURCHASE LIST pdf.exe"C:\Users\Admin\AppData\Local\Temp\260017# PURCHASE LIST pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DkoKQhprZPZjG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92CA.tmp"2⤵
- Creates scheduled task(s)
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\260017# PURCHASE LIST pdf.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp"3⤵PID:1248