Analysis
-
max time kernel
100s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
21-03-2020 22:33
Static task
static1
Behavioral task
behavioral1
Sample
SCAN001.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
SCAN001.exe
Resource
win10v200217
General
-
Target
SCAN001.exe
-
Size
903KB
-
MD5
8a5867be14ac55f133f64e6234f2d2f7
-
SHA1
b3aaafea6913d1ae69c9102310d51bf8257c0d25
-
SHA256
95dce20d910cf373ff2b72697282c344313dd3bf7ffd09c4ece59cd9f58c8972
-
SHA512
7aefa44f9fbd4d7c80529bea8b5b6c2c7b43cd4bdcda41f54e1cb84bb1ec15a6811ba8650c1cb5025793e46d3fe142f697d449c9b5840f00b311c828341a0270
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
SCAN001.exeRegSvcs.exedescription pid process target process PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 4072 wrote to memory of 2640 4072 SCAN001.exe RegSvcs.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3228 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe PID 2640 wrote to memory of 3500 2640 RegSvcs.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SCAN001.exeRegSvcs.exedescription pid process target process PID 4072 set thread context of 2640 4072 SCAN001.exe RegSvcs.exe PID 2640 set thread context of 3228 2640 RegSvcs.exe vbc.exe PID 2640 set thread context of 3500 2640 RegSvcs.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2640 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vbc.exeRegSvcs.exepid process 3228 vbc.exe 3228 vbc.exe 3228 vbc.exe 3228 vbc.exe 2640 RegSvcs.exe 2640 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2640 RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:4072 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE80E.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF03D.tmp"3⤵PID:3500