Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
21-03-2020 22:20
Static task
static1
Behavioral task
behavioral1
Sample
07675566556 PURCHASE ORDERpdf.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
07675566556 PURCHASE ORDERpdf.exe
Resource
win10v200217
General
-
Target
07675566556 PURCHASE ORDERpdf.exe
-
Size
876KB
-
MD5
b274988968c4256575dd4c4403838324
-
SHA1
a62d5ceb57ddec5dcffe768c6f48ff1dae66db67
-
SHA256
bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
-
SHA512
abc5906d8e1e69ff1b33c61db06c4802e370efc8c15db8742092148fbb57aa8df3bd70e6b54fcf6b9a232642318510a4b352ce9810fbd7a1904b6f806d379978
Malware Config
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
07675566556 PURCHASE ORDERpdf.exe07675566556 PURCHASE ORDERpdf.exedescription pid process target process PID 3992 wrote to memory of 3608 3992 07675566556 PURCHASE ORDERpdf.exe schtasks.exe PID 3992 wrote to memory of 3608 3992 07675566556 PURCHASE ORDERpdf.exe schtasks.exe PID 3992 wrote to memory of 3608 3992 07675566556 PURCHASE ORDERpdf.exe schtasks.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 3992 wrote to memory of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 wrote to memory of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
07675566556 PURCHASE ORDERpdf.exe07675566556 PURCHASE ORDERpdf.exedescription pid process target process PID 3992 set thread context of 2492 3992 07675566556 PURCHASE ORDERpdf.exe 07675566556 PURCHASE ORDERpdf.exe PID 2492 set thread context of 4088 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe PID 2492 set thread context of 3376 2492 07675566556 PURCHASE ORDERpdf.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exepid process 4088 vbc.exe 4088 vbc.exe 4088 vbc.exe 4088 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 bot.whatismyipaddress.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe"C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3992 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eLajqaT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85D9.tmp"2⤵
- Creates scheduled task(s)
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDA24.tmp"3⤵PID:3376