0bb1ef1b5da51503d3eacf1ecb66e7205bdb3aeab888bd7959ebb674f1eab631

Analysis

max time kernel
200s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

381KB
MD5

20c2c7e30a36e36fc8c8db7c700e886a
SHA1

87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a
SHA256

1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1
SHA512

0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase Order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usbutil = "\"C:\\Users\\Admin\\AppData\\Local\\usbutil.exe\""	Purchase Order.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Purchase Order.exe

pid	process
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe
3128	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order.exe

description pid process

Token: SeDebugPrivilege 3128 Purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	3128	Purchase Order.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-130-0x0000000000460000-0x00000000004C4000-memory.dmp

Filesize
400KB

Download
memory/3128-131-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/3128-132-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/3128-133-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/3128-134-0x0000000005C80000-0x0000000005D1C000-memory.dmp

Filesize
624KB

Download
memory/3128-135-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download