0c71a1d8fb917a29dcb4858fd3654c727c14b721ab1dc4986e7a2ad0d55ea077

General

Target

Purchase Order_12082020_10002993884.exe
Size

1.1MB
MD5

099b147450ba62294345230e057e492c
SHA1

3f5dd2f621cc9f850b01c0193a9c95fb21b1f4b7
SHA256

271ae8f2104165d934488b9888b1fdcf6d6ec9a2263a603270ac9098f5d27323
SHA512

a0bd10ccaf6cd9ef6a83db34f4c0bf6c0f9c3750b5ee14116465ea7042c7babe585d126d80a0d82960e9d31b06b418e6a8011871e5a67994fb7f45c78a1e5c9d

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order_12082020_10002993884.exe

description	pid	process	target process
PID 1964 set thread context of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Purchase Order_12082020_10002993884.exepowershell.exe

pid	process
1964	Purchase Order_12082020_10002993884.exe
1964	Purchase Order_12082020_10002993884.exe
1964	Purchase Order_12082020_10002993884.exe
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order_12082020_10002993884.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1964 Purchase Order_12082020_10002993884.exe
Token: SeDebugPrivilege 4980 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1964	Purchase Order_12082020_10002993884.exe
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Purchase Order_12082020_10002993884.exePurchase Order_12082020_10002993884.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	Purchase Order_12082020_10002993884.exe
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	cmd.exe
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	cmd.exe
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	cmd.exe
PID 4540 wrote to memory of 4980	4540	cmd.exe	powershell.exe
PID 4540 wrote to memory of 4980	4540	cmd.exe	powershell.exe
PID 4540 wrote to memory of 4980	4540	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order_12082020_10002993884.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1724-135-0x0000000000000000-mapping.dmp

Download
memory/1724-136-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1724-138-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/1964-130-0x0000000000740000-0x0000000000858000-memory.dmp

Filesize
1.1MB

Download
memory/1964-131-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-132-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/1964-133-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/1964-134-0x000000000D930000-0x000000000D9CC000-memory.dmp

Filesize
624KB

Download
memory/4540-139-0x0000000000000000-mapping.dmp

Download
memory/4980-140-0x0000000000000000-mapping.dmp

Download
memory/4980-141-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/4980-142-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/4980-143-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/4980-144-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4980-145-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4980-146-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-147-0x0000000006850000-0x000000000686A000-memory.dmp

Filesize
104KB

Download
memory/4980-148-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/4980-149-0x0000000006920000-0x0000000006942000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads