Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-06-2020 16:55
Static task
static1
Behavioral task
behavioral1
Sample
z7ZJdF1SfMKAp6L.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
z7ZJdF1SfMKAp6L.exe
Resource
win10v200430
General
-
Target
z7ZJdF1SfMKAp6L.exe
-
Size
397KB
-
MD5
e1939d61d59909862e2b058d96fe0789
-
SHA1
f95a110dee743c3d33aa737fbb164c7148c9248c
-
SHA256
a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
-
SHA512
58063d064a8cd919ef59e9a5d5989ffd615e6d1905291f84864a0684d45772abbbd19701251bd5790df7a28969229df219f8ac038033bab3f99250b475adc769
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
z7ZJdF1SfMKAp6L.exeMSBuild.exedescription pid process target process PID 1432 set thread context of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1844 set thread context of 1548 1844 MSBuild.exe vbc.exe PID 1844 set thread context of 1940 1844 MSBuild.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 1844 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
z7ZJdF1SfMKAp6L.exeMSBuild.exedescription pid process target process PID 1432 wrote to memory of 1796 1432 z7ZJdF1SfMKAp6L.exe schtasks.exe PID 1432 wrote to memory of 1796 1432 z7ZJdF1SfMKAp6L.exe schtasks.exe PID 1432 wrote to memory of 1796 1432 z7ZJdF1SfMKAp6L.exe schtasks.exe PID 1432 wrote to memory of 1796 1432 z7ZJdF1SfMKAp6L.exe schtasks.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1432 wrote to memory of 1844 1432 z7ZJdF1SfMKAp6L.exe MSBuild.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1548 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe PID 1844 wrote to memory of 1940 1844 MSBuild.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1844 MSBuild.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1844 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z7ZJdF1SfMKAp6L.exe"C:\Users\Admin\AppData\Local\Temp\z7ZJdF1SfMKAp6L.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOtHXNw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ECF.tmp"2⤵
- Creates scheduled task(s)
PID:1796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC711.tmp"3⤵PID:1548
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB97C.tmp"3⤵PID:1940