Analysis
-
max time kernel
151s -
max time network
102s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
21-03-2020 22:33
Static task
static1
Behavioral task
behavioral1
Sample
SCAN001.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SCAN001.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
SCAN001.exe
-
Size
903KB
-
MD5
8a5867be14ac55f133f64e6234f2d2f7
-
SHA1
b3aaafea6913d1ae69c9102310d51bf8257c0d25
-
SHA256
95dce20d910cf373ff2b72697282c344313dd3bf7ffd09c4ece59cd9f58c8972
-
SHA512
7aefa44f9fbd4d7c80529bea8b5b6c2c7b43cd4bdcda41f54e1cb84bb1ec15a6811ba8650c1cb5025793e46d3fe142f697d449c9b5840f00b311c828341a0270
Score
10/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
SCAN001.exeRegSvcs.exedescription pid process target process PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1872 wrote to memory of 1908 1872 SCAN001.exe RegSvcs.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 2044 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe PID 1908 wrote to memory of 1540 1908 RegSvcs.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SCAN001.exeRegSvcs.exedescription pid process target process PID 1872 set thread context of 1908 1872 SCAN001.exe RegSvcs.exe PID 1908 set thread context of 2044 1908 RegSvcs.exe vbc.exe PID 1908 set thread context of 1540 1908 RegSvcs.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2044 vbc.exe -
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1908 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2E.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF2E7.tmp"3⤵PID:1540