Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200410 -
submitted
15-04-2020 14:23
Static task
static1
Behavioral task
behavioral1
Sample
HSBC BANK LETTER.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
HSBC BANK LETTER.exe
Resource
win10v200410
General
-
Target
HSBC BANK LETTER.exe
-
Size
722KB
-
MD5
c9f3af24ebda7a1bcaa94dc81156cf45
-
SHA1
14dff67f355616a09733afabff2cf836bf9ebe52
-
SHA256
07236ee497bab6187ef9e5ea42f6a184a9bb32030b50d88f251a449b03890305
-
SHA512
719cfafe427d48211d4364954ac40bc714409b8b7a1b84cac8c208491daeee47418f25dd18b94800330485ed764539e0c62360913f59a04d44f3f87605f22663
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process target process PID 3920 wrote to memory of 3196 3920 HSBC BANK LETTER.exe schtasks.exe PID 3920 wrote to memory of 3196 3920 HSBC BANK LETTER.exe schtasks.exe PID 3920 wrote to memory of 3196 3920 HSBC BANK LETTER.exe schtasks.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 3920 wrote to memory of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process target process PID 3920 set thread context of 972 3920 HSBC BANK LETTER.exe HSBC BANK LETTER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HSBC BANK LETTER.exepid process 972 HSBC BANK LETTER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process Token: SeDebugPrivilege 972 HSBC BANK LETTER.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HSBC BANK LETTER.exepid process 972 HSBC BANK LETTER.exe 972 HSBC BANK LETTER.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QZsWuVHcCxhEXU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D7A.tmp"2⤵
- Creates scheduled task(s)
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:972