Analysis
-
max time kernel
140s -
max time network
99s -
platform
windows10_x64 -
resource
win10v200410 -
submitted
28-04-2020 13:16
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v200410
General
-
Target
PO.exe
-
Size
799KB
-
MD5
ef043796a61db70e27b06e3cfe7209f1
-
SHA1
c78610ce51f61ebcc647a057def65409de76590a
-
SHA256
e842dbdc4b41d7516d87ccc21fa365b93c4c94ce5a75dc6f06321f90efa19e29
-
SHA512
72aab86bf1f1e2c75edfb56ec3fb0bb26766cb762f2408e5ba4e8791194a0b87118187a0f5c72a15285f3e16150a8704f675764750b6feb648b044bcaec31e09
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process target process PID 4028 wrote to memory of 3156 4028 PO.exe schtasks.exe PID 4028 wrote to memory of 3156 4028 PO.exe schtasks.exe PID 4028 wrote to memory of 3156 4028 PO.exe schtasks.exe PID 4028 wrote to memory of 3144 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3144 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3144 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 4028 wrote to memory of 3116 4028 PO.exe RegSvcs.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3768 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe PID 3116 wrote to memory of 3288 3116 RegSvcs.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
PO.exevbc.exeRegSvcs.exepid process 4028 PO.exe 4028 PO.exe 3768 vbc.exe 3768 vbc.exe 3768 vbc.exe 3768 vbc.exe 3116 RegSvcs.exe 3116 RegSvcs.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process target process PID 4028 set thread context of 3116 4028 PO.exe RegSvcs.exe PID 3116 set thread context of 3768 3116 RegSvcs.exe vbc.exe PID 3116 set thread context of 3288 3116 RegSvcs.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4028 PO.exe Token: SeDebugPrivilege 3116 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3116 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 4 http://bot.whatismyipaddress.com/
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vpQgdie" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8992.tmp"2⤵
- Creates scheduled task(s)
PID:3156 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:3144
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3116 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC004.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC813.tmp"3⤵PID:3288