Analysis
-
max time kernel
105s -
max time network
125s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
08-04-2020 20:08
Static task
static1
Behavioral task
behavioral1
Sample
Receipt Address Confirmation (Please Sign)_Pdf.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
Receipt Address Confirmation (Please Sign)_Pdf.exe
Resource
win10v200217
General
-
Target
Receipt Address Confirmation (Please Sign)_Pdf.exe
-
Size
2.2MB
-
MD5
157e9390532b041fe9fca9dc1b134b73
-
SHA1
caae0235e24e1f8965e0a028a9480d48f1d85547
-
SHA256
845971f894b9fc0fab3ab5a37bc080bae378ea358b8adc676e06043440839059
-
SHA512
b75da8ababd520ebbe8a28abb2bf3bfc2a2c436914b816bbd7242d0e363adc86b04ee3e8461b7742d9ada081eb24c9a9a6569318b5f20b0fcdc9e0a5712e486a
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exedescription pid process target process PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 1856 wrote to memory of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exedescription pid process target process PID 1856 set thread context of 1864 1856 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1864 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1864 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1864 RegAsm.exe 1864 RegAsm.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt Address Confirmation (Please Sign)_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Receipt Address Confirmation (Please Sign)_Pdf.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1864