Analysis
-
max time kernel
114s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
08-04-2020 20:08
Static task
static1
Behavioral task
behavioral1
Sample
Receipt Address Confirmation (Please Sign)_Pdf.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
Receipt Address Confirmation (Please Sign)_Pdf.exe
Resource
win10v200217
General
-
Target
Receipt Address Confirmation (Please Sign)_Pdf.exe
-
Size
2.2MB
-
MD5
157e9390532b041fe9fca9dc1b134b73
-
SHA1
caae0235e24e1f8965e0a028a9480d48f1d85547
-
SHA256
845971f894b9fc0fab3ab5a37bc080bae378ea358b8adc676e06043440839059
-
SHA512
b75da8ababd520ebbe8a28abb2bf3bfc2a2c436914b816bbd7242d0e363adc86b04ee3e8461b7742d9ada081eb24c9a9a6569318b5f20b0fcdc9e0a5712e486a
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exedescription pid process target process PID 4012 set thread context of 3524 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3524 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3524 RegAsm.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exedescription pid process target process PID 4012 wrote to memory of 3524 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 4012 wrote to memory of 3524 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 4012 wrote to memory of 3524 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe PID 4012 wrote to memory of 3524 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 3524 RegAsm.exe 3524 RegAsm.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 bot.whatismyipaddress.com -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
Receipt Address Confirmation (Please Sign)_Pdf.exepid process 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe 4012 Receipt Address Confirmation (Please Sign)_Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt Address Confirmation (Please Sign)_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Receipt Address Confirmation (Please Sign)_Pdf.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3524