8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9

General

Target

Purchase Order.exe
Size

796KB
MD5

9c855254c998da988ee359119c6bfbcd
SHA1

4e673163f312fb8334c93c5ab1bf7fd7e7f81f9c
SHA256

8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9
SHA512

715d61ab364cd879c4da76732a8cdafcf2ccd80be2330a00b1dc6580c62a5996b85b4469c9ca6bbb276208118114f1f1b5bf77f7cd6dc0023a92f8633cbb62a4

Score

7^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1116	Purchase Order.exe
1504	Purchase Order.exe
1504	Purchase Order.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe

Deletes itself 1 IoCs

pid	Process
540	cmd.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE
1308	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1436	1116	Purchase Order.exe	24
PID 1116 wrote to memory of 1436	1116	Purchase Order.exe	24
PID 1116 wrote to memory of 1436	1116	Purchase Order.exe	24
PID 1116 wrote to memory of 1436	1116	Purchase Order.exe	24
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1116 wrote to memory of 1504	1116	Purchase Order.exe	25
PID 1308 wrote to memory of 304	1308	Explorer.EXE	26
PID 1308 wrote to memory of 304	1308	Explorer.EXE	26
PID 1308 wrote to memory of 304	1308	Explorer.EXE	26
PID 1308 wrote to memory of 304	1308	Explorer.EXE	26
PID 304 wrote to memory of 540	304	explorer.exe	27
PID 304 wrote to memory of 540	304	explorer.exe	27
PID 304 wrote to memory of 540	304	explorer.exe	27
PID 304 wrote to memory of 540	304	explorer.exe	27

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	Purchase Order.exe
Token: SeDebugPrivilege	1504	Purchase Order.exe
Token: SeDebugPrivilege	304	explorer.exe
Token: SeShutdownPrivilege	1308	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 1504	1116	Purchase Order.exe	25
PID 1504 set thread context of 1308	1504	Purchase Order.exe	20
PID 304 set thread context of 1308	304	explorer.exe	20

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1504	Purchase Order.exe
1504	Purchase Order.exe
1504	Purchase Order.exe
304	explorer.exe
304	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1308
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
    "{path}"
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
    "{path}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:1504
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
    3⤵
    - Deletes itself
    PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-5-0x0000000000C90000-0x0000000000F11000-memory.dmp

Filesize
2.5MB

Download
memory/304-7-0x0000000003400000-0x0000000003562000-memory.dmp

Filesize
1.4MB

Download
memory/1504-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing