Analysis
-
max time kernel
109s -
max time network
117s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
10-04-2020 09:20
Static task
static1
Behavioral task
behavioral1
Sample
invoice 546787652355666666544333234555.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
invoice 546787652355666666544333234555.exe
Resource
win10v200217
General
-
Target
invoice 546787652355666666544333234555.exe
-
Size
2.1MB
-
MD5
d7ab129d6d152cc9f84c8e8ab59f3ef4
-
SHA1
623c490e874aff8e6e6a5813ab87e3faf0be38a3
-
SHA256
4da820dc5b8b59fa5e8567477768de1cb71bd42969a56b70fa08f56309cbb89d
-
SHA512
f0fe4e9e792560214208d1d49ece23eb15e2f1d85783ed135bb2502eb495f83eab3083567a40b23a6ace5ac03aef335e69be16db6ec397e9d15f472f2ea57a65
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
invoice 546787652355666666544333234555.exeRegAsm.exedescription pid process target process PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1832 wrote to memory of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe PID 1840 wrote to memory of 1964 1840 RegAsm.exe vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
invoice 546787652355666666544333234555.exeRegAsm.exedescription pid process target process PID 1832 set thread context of 1840 1832 invoice 546787652355666666544333234555.exe RegAsm.exe PID 1840 set thread context of 1964 1840 RegAsm.exe vbc.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe 1832 invoice 546787652355666666544333234555.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 1832 invoice 546787652355666666544333234555.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 1964 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice 546787652355666666544333234555.exe"C:\Users\Admin\AppData\Local\Temp\invoice 546787652355666666544333234555.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SendNotifyMessage
- Suspicious behavior: MapViewOfSection
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFAB2.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964