Analysis
-
max time kernel
108s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
10-04-2020 09:20
Static task
static1
Behavioral task
behavioral1
Sample
invoice 546787652355666666544333234555.exe
Resource
win7v200217
Behavioral task
behavioral2
Sample
invoice 546787652355666666544333234555.exe
Resource
win10v200217
General
-
Target
invoice 546787652355666666544333234555.exe
-
Size
2.1MB
-
MD5
d7ab129d6d152cc9f84c8e8ab59f3ef4
-
SHA1
623c490e874aff8e6e6a5813ab87e3faf0be38a3
-
SHA256
4da820dc5b8b59fa5e8567477768de1cb71bd42969a56b70fa08f56309cbb89d
-
SHA512
f0fe4e9e792560214208d1d49ece23eb15e2f1d85783ed135bb2502eb495f83eab3083567a40b23a6ace5ac03aef335e69be16db6ec397e9d15f472f2ea57a65
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
invoice 546787652355666666544333234555.exeRegAsm.exedescription pid process target process PID 4012 wrote to memory of 988 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 988 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 988 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 3768 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 3768 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 3768 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 4012 wrote to memory of 3768 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 3424 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe PID 3768 wrote to memory of 1832 3768 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
invoice 546787652355666666544333234555.exeRegAsm.exedescription pid process target process PID 4012 set thread context of 3768 4012 invoice 546787652355666666544333234555.exe RegAsm.exe PID 3768 set thread context of 3424 3768 RegAsm.exe vbc.exe PID 3768 set thread context of 1832 3768 RegAsm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exepid process 3424 vbc.exe 3424 vbc.exe 3424 vbc.exe 3424 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
invoice 546787652355666666544333234555.exepid process 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe 4012 invoice 546787652355666666544333234555.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice 546787652355666666544333234555.exe"C:\Users\Admin\AppData\Local\Temp\invoice 546787652355666666544333234555.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵PID:988
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp673.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF5D.tmp"3⤵PID:1832