Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-06-2020 16:40
Static task
static1
Behavioral task
behavioral1
Sample
UnLodueFblmIs0C.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
UnLodueFblmIs0C.exe
Resource
win10v200430
General
-
Target
UnLodueFblmIs0C.exe
-
Size
398KB
-
MD5
3f26968c0d8eb6ef98c832298c89d7f3
-
SHA1
7ad249eae396e35e6b8cdd70d1f2f2fac503642c
-
SHA256
c730e6287aa786e04d22daa4e6c77b504cdf80dc4f09877a15bc79bac84403f6
-
SHA512
9dd1180007ce3013e44e16e1448657cc652c1835b1e8c5349aad87716cc6faf4e098df1d6d39cc639bf873d9b98a6c5fbba725c9fd722431f6c9e1b03212f6ad
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1772 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 1772 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
UnLodueFblmIs0C.exeMSBuild.exedescription pid process target process PID 1524 wrote to memory of 1876 1524 UnLodueFblmIs0C.exe schtasks.exe PID 1524 wrote to memory of 1876 1524 UnLodueFblmIs0C.exe schtasks.exe PID 1524 wrote to memory of 1876 1524 UnLodueFblmIs0C.exe schtasks.exe PID 1524 wrote to memory of 1876 1524 UnLodueFblmIs0C.exe schtasks.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1524 wrote to memory of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1580 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe PID 1772 wrote to memory of 1924 1772 MSBuild.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
UnLodueFblmIs0C.exeMSBuild.exedescription pid process target process PID 1524 set thread context of 1772 1524 UnLodueFblmIs0C.exe MSBuild.exe PID 1772 set thread context of 1580 1772 MSBuild.exe vbc.exe PID 1772 set thread context of 1924 1772 MSBuild.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1772 MSBuild.exe -
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\UnLodueFblmIs0C.exe"C:\Users\Admin\AppData\Local\Temp\UnLodueFblmIs0C.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1524 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lvxeiNKl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5974.tmp"2⤵
- Creates scheduled task(s)
PID:1876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9AF3.tmp"3⤵PID:1580
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8D4E.tmp"3⤵PID:1924