Analysis
-
max time kernel
32s -
max time network
91s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
04-05-2020 13:53
Static task
static1
Behavioral task
behavioral1
Sample
nfvwZ5fTwVu1ZFr.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
nfvwZ5fTwVu1ZFr.exe
Resource
win10v200430
General
-
Target
nfvwZ5fTwVu1ZFr.exe
-
Size
244KB
-
MD5
a1eeeb20ef5d7c2d3393559a84d6a033
-
SHA1
9342600fe28f23bbd091016deb388d6b6e37569d
-
SHA256
517d8b2852f709db4e9899576e5e1b1b848427b7e0829a7f918a6dc8875772b9
-
SHA512
c7521e22f8d8082e0ad8c1c482c21e9acc02babf8f99151125b291b6bc163f097e8921f3b2bc89b58b8b2a28582b84481cca092ae5119cfb5274684e558b8e73
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
nfvwZ5fTwVu1ZFr.exedescription pid process target process PID 996 wrote to memory of 1048 996 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 996 wrote to memory of 1048 996 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 996 wrote to memory of 1048 996 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 996 wrote to memory of 1048 996 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 996 wrote to memory of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nfvwZ5fTwVu1ZFr.exedescription pid process target process PID 996 set thread context of 1496 996 nfvwZ5fTwVu1ZFr.exe MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1496 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1496 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1496 MSBuild.exe 1496 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nfvwZ5fTwVu1ZFr.exe"C:\Users\Admin\AppData\Local\Temp\nfvwZ5fTwVu1ZFr.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:996 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hjqlLfItbpjdf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp98D5.tmp"2⤵
- Creates scheduled task(s)
PID:1048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1496