Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-05-2020 13:53
Static task
static1
Behavioral task
behavioral1
Sample
nfvwZ5fTwVu1ZFr.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
nfvwZ5fTwVu1ZFr.exe
Resource
win10v200430
General
-
Target
nfvwZ5fTwVu1ZFr.exe
-
Size
244KB
-
MD5
a1eeeb20ef5d7c2d3393559a84d6a033
-
SHA1
9342600fe28f23bbd091016deb388d6b6e37569d
-
SHA256
517d8b2852f709db4e9899576e5e1b1b848427b7e0829a7f918a6dc8875772b9
-
SHA512
c7521e22f8d8082e0ad8c1c482c21e9acc02babf8f99151125b291b6bc163f097e8921f3b2bc89b58b8b2a28582b84481cca092ae5119cfb5274684e558b8e73
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
nfvwZ5fTwVu1ZFr.exedescription pid process target process PID 1356 set thread context of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1792 MSBuild.exe 1792 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
nfvwZ5fTwVu1ZFr.exedescription pid process target process PID 1356 wrote to memory of 1812 1356 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 1356 wrote to memory of 1812 1356 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 1356 wrote to memory of 1812 1356 nfvwZ5fTwVu1ZFr.exe schtasks.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe PID 1356 wrote to memory of 1792 1356 nfvwZ5fTwVu1ZFr.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1792 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1792 MSBuild.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nfvwZ5fTwVu1ZFr.exe"C:\Users\Admin\AppData\Local\Temp\nfvwZ5fTwVu1ZFr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hjqlLfItbpjdf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEBE.tmp"2⤵
- Creates scheduled task(s)
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1792