0c71a1d8fb917a29dcb4858fd3654c727c14b721ab1dc4986e7a2ad0d55ea077

General

Target

Purchase Order_12082020_10002993884.exe
Size

1.1MB
MD5

099b147450ba62294345230e057e492c
SHA1

3f5dd2f621cc9f850b01c0193a9c95fb21b1f4b7
SHA256

271ae8f2104165d934488b9888b1fdcf6d6ec9a2263a603270ac9098f5d27323
SHA512

a0bd10ccaf6cd9ef6a83db34f4c0bf6c0f9c3750b5ee14116465ea7042c7babe585d126d80a0d82960e9d31b06b418e6a8011871e5a67994fb7f45c78a1e5c9d

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 1724	1964	Purchase Order_12082020_10002993884.exe	89

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1964	Purchase Order_12082020_10002993884.exe
1964	Purchase Order_12082020_10002993884.exe
1964	Purchase Order_12082020_10002993884.exe
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	Purchase Order_12082020_10002993884.exe
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1964 wrote to memory of 1724	1964	Purchase Order_12082020_10002993884.exe	89
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	90
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	90
PID 1724 wrote to memory of 4540	1724	Purchase Order_12082020_10002993884.exe	90
PID 4540 wrote to memory of 4980	4540	cmd.exe	92
PID 4540 wrote to memory of 4980	4540	cmd.exe	92
PID 4540 wrote to memory of 4980	4540	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Purchase Order_12082020_10002993884.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order_12082020_10002993884.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1724-136-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1724-138-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/1964-130-0x0000000000740000-0x0000000000858000-memory.dmp

Filesize
1.1MB

Download
memory/1964-131-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-132-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/1964-133-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/1964-134-0x000000000D930000-0x000000000D9CC000-memory.dmp

Filesize
624KB

Download
memory/4980-141-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/4980-142-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/4980-143-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/4980-144-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4980-145-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4980-146-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-147-0x0000000006850000-0x000000000686A000-memory.dmp

Filesize
104KB

Download
memory/4980-148-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/4980-149-0x0000000006920000-0x0000000006942000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing