818e0bab11bfd5cd7c55356efce17fe8c2024a193d968cfb18f70d15a0d12951

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

615KB
MD5

ec15ab6bec865de98d39f4ab8e73fe1b
SHA1

95e0fb211f31673dd6f9f4e74360b184250d3fde
SHA256

f56c8e197bbe551942b7e01808646b1ccbb01e8d43fc2ba3e5a6017e40e8e1d4
SHA512

04efb4548509befdcf4a0dd5e61a9e46d9313aeae82f9779d7e2edae8f2f42f058945cf89871f382f1e1b96f065a07e3189a7edd039eb53a7640fe7afd8ccc82
SSDEEP

12288:OmCglZ6MneQ8/aR/O11EqQNIAW8FzQS/dlf2XwE7jo9av/Ksq/Ks6/Ks:tRKAKihcYNrWKQkddW/3OOiS

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order.exe

description pid process target process

PID 1640 set thread context of 1500 1640 Purchase Order.exe SetupUtility.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

600 1500 WerFault.exe SetupUtility.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Purchase Order.exe

pid process

1640 Purchase Order.exe
1640 Purchase Order.exe
1640 Purchase Order.exe
1640 Purchase Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order.exe

description pid process

Token: SeDebugPrivilege 1640 Purchase Order.exe

description	pid	process	target process
PID 1640 set thread context of 1500	1640	Purchase Order.exe	SetupUtility.exe

pid	pid_target	process	target process
600	1500	WerFault.exe	SetupUtility.exe

pid	process
1640	Purchase Order.exe
1640	Purchase Order.exe
1640	Purchase Order.exe
1640	Purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1640	Purchase Order.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Purchase Order.exeSetupUtility.exe

description	pid	process	target process
PID 1640 wrote to memory of 1336	1640	Purchase Order.exe	MSBuild.exe
PID 1640 wrote to memory of 1336	1640	Purchase Order.exe	MSBuild.exe
PID 1640 wrote to memory of 1336	1640	Purchase Order.exe	MSBuild.exe
PID 1640 wrote to memory of 1508	1640	Purchase Order.exe	regtlibv12.exe
PID 1640 wrote to memory of 1508	1640	Purchase Order.exe	regtlibv12.exe
PID 1640 wrote to memory of 1508	1640	Purchase Order.exe	regtlibv12.exe
PID 1640 wrote to memory of 1044	1640	Purchase Order.exe	ilasm.exe
PID 1640 wrote to memory of 1044	1640	Purchase Order.exe	ilasm.exe
PID 1640 wrote to memory of 1044	1640	Purchase Order.exe	ilasm.exe
PID 1640 wrote to memory of 1324	1640	Purchase Order.exe	aspnet_regbrowsers.exe
PID 1640 wrote to memory of 1324	1640	Purchase Order.exe	aspnet_regbrowsers.exe
PID 1640 wrote to memory of 1324	1640	Purchase Order.exe	aspnet_regbrowsers.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1640 wrote to memory of 1500	1640	Purchase Order.exe	SetupUtility.exe
PID 1500 wrote to memory of 600	1500	SetupUtility.exe	WerFault.exe
PID 1500 wrote to memory of 600	1500	SetupUtility.exe	WerFault.exe
PID 1500 wrote to memory of 600	1500	SetupUtility.exe	WerFault.exe
PID 1500 wrote to memory of 600	1500	SetupUtility.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:1336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
2⤵
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 168
3⤵
- Program crash
PID:600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-59-0x0000000000000000-mapping.dmp

Download
memory/1500-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1500-57-0x000000000042A62E-mapping.dmp

Download
memory/1500-58-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1640-54-0x0000000001180000-0x000000000121E000-memory.dmp

Filesize
632KB

Download
memory/1640-55-0x000000001A620000-0x000000001A68E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads