Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-06-2020 16:44
Static task
static1
Behavioral task
behavioral1
Sample
dsFqMLnEkvrogA9.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
dsFqMLnEkvrogA9.exe
Resource
win10v200430
General
-
Target
dsFqMLnEkvrogA9.exe
-
Size
398KB
-
MD5
f882b4b6a5a9a47e10244f70d661bd2e
-
SHA1
b77ef0dc1e64d6b396a2ac6f3a87ff3fd53ca503
-
SHA256
c0a5e2237ef1901c7a3ee2c15290c8db625a1cb9659e99a86ee474460533aa32
-
SHA512
a49b9b512d0f9a9afd81eeb7621543e6c5d4820a434f755218b7225a81f657371fe6e70fbe92ecdfcaf41e37c3efb894eb8ae8f38d4e4b14a632a7cc09599c38
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
dsFqMLnEkvrogA9.exeRegSvcs.exedescription pid process target process PID 1436 set thread context of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1720 set thread context of 1632 1720 RegSvcs.exe vbc.exe PID 1720 set thread context of 1884 1720 RegSvcs.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 1720 RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
dsFqMLnEkvrogA9.exeRegSvcs.exedescription pid process target process PID 1436 wrote to memory of 1348 1436 dsFqMLnEkvrogA9.exe schtasks.exe PID 1436 wrote to memory of 1348 1436 dsFqMLnEkvrogA9.exe schtasks.exe PID 1436 wrote to memory of 1348 1436 dsFqMLnEkvrogA9.exe schtasks.exe PID 1436 wrote to memory of 1348 1436 dsFqMLnEkvrogA9.exe schtasks.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1436 wrote to memory of 1720 1436 dsFqMLnEkvrogA9.exe RegSvcs.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1632 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe PID 1720 wrote to memory of 1884 1720 RegSvcs.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1720 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1720 RegSvcs.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 bot.whatismyipaddress.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\dsFqMLnEkvrogA9.exe"C:\Users\Admin\AppData\Local\Temp\dsFqMLnEkvrogA9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GsiwayueXcbxVJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78F6.tmp"2⤵
- Creates scheduled task(s)
PID:1348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA9C2.tmp"3⤵PID:1632
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9BDE.tmp"3⤵PID:1884