Analysis
-
max time kernel
109s -
max time network
108s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
16-04-2020 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe
Resource
win10v200410
General
-
Target
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe
-
Size
797KB
-
MD5
505264e67b6787fedea83f9e991af967
-
SHA1
710f8b8cef9c23ca3a2e9a73ed77efad9b2dc417
-
SHA256
ea20eb1a2d508640fc12743bce90d5ce169ea87fd394a701359429498aef934c
-
SHA512
e75326df6e359362ec78d8c4ca175aeea475c0a2cad3d4437cf99ecc61c84854dbdee4e96fb46690724da700970f690faf316cd74785c9c99fb7f691ba6c517c
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exePurchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exedescription pid process Token: SeDebugPrivilege 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Token: SeDebugPrivilege 1748 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exePurchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exepid process 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe 1748 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe 1748 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exedescription pid process target process PID 1600 wrote to memory of 752 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe schtasks.exe PID 1600 wrote to memory of 752 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe schtasks.exe PID 1600 wrote to memory of 752 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe schtasks.exe PID 1600 wrote to memory of 752 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe schtasks.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe PID 1600 wrote to memory of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exedescription pid process target process PID 1600 set thread context of 1748 1600 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exepid process 1748 Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1600 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SsOOnpSFLbg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp842C.tmp"2⤵
- Creates scheduled task(s)
PID:752 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order PO-004276 dated 15042020 for EASTERN GUIDE ELECTRONICS PTE LTD.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748