Analysis
-
max time kernel
151s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
27-05-2020 13:47
Static task
static1
Behavioral task
behavioral1
Sample
20BHcKSmefo7MFF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
20BHcKSmefo7MFF.exe
Resource
win10v200430
General
-
Target
20BHcKSmefo7MFF.exe
-
Size
396KB
-
MD5
f5714089e0fcf628ca4f885b24c5021a
-
SHA1
0405de4d982a3717948efab5e450c1d5d3cb4858
-
SHA256
a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd
-
SHA512
34e61ab8b440f897a6a39f21ae220ffa03ee3c4d4b2b2bbca9a1fdde8f51ba271f7b8c136434986644d5fb4749f0d2ab932379064d56b0d25786f2ad463ae660
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
20BHcKSmefo7MFF.exeMSBuild.exedescription pid process target process PID 1016 wrote to memory of 964 1016 20BHcKSmefo7MFF.exe schtasks.exe PID 1016 wrote to memory of 964 1016 20BHcKSmefo7MFF.exe schtasks.exe PID 1016 wrote to memory of 964 1016 20BHcKSmefo7MFF.exe schtasks.exe PID 1016 wrote to memory of 964 1016 20BHcKSmefo7MFF.exe schtasks.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 1016 wrote to memory of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1576 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe PID 800 wrote to memory of 1932 800 MSBuild.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
20BHcKSmefo7MFF.exeMSBuild.exedescription pid process target process PID 1016 set thread context of 800 1016 20BHcKSmefo7MFF.exe MSBuild.exe PID 800 set thread context of 1576 800 MSBuild.exe vbc.exe PID 800 set thread context of 1932 800 MSBuild.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20BHcKSmefo7MFF.exe"C:\Users\Admin\AppData\Local\Temp\20BHcKSmefo7MFF.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1016 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CFwuuC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp"2⤵
- Creates scheduled task(s)
PID:964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF3FE.tmp"3⤵PID:1576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp"3⤵PID:1932