818e0bab11bfd5cd7c55356efce17fe8c2024a193d968cfb18f70d15a0d12951

General

Target

Purchase Order.exe
Size

615KB
MD5

ec15ab6bec865de98d39f4ab8e73fe1b
SHA1

95e0fb211f31673dd6f9f4e74360b184250d3fde
SHA256

f56c8e197bbe551942b7e01808646b1ccbb01e8d43fc2ba3e5a6017e40e8e1d4
SHA512

04efb4548509befdcf4a0dd5e61a9e46d9313aeae82f9779d7e2edae8f2f42f058945cf89871f382f1e1b96f065a07e3189a7edd039eb53a7640fe7afd8ccc82
SSDEEP

12288:OmCglZ6MneQ8/aR/O11EqQNIAW8FzQS/dlf2XwE7jo9av/Ksq/Ks6/Ks:tRKAKihcYNrWKQkddW/3OOiS

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order.exe

description pid process target process

PID 4996 set thread context of 3268 4996 Purchase Order.exe jsc.exe

description	pid	process	target process
PID 4996 set thread context of 3268	4996	Purchase Order.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Purchase Order.exe

pid	process
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe
4996	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order.exejsc.exe

description pid process

Token: SeDebugPrivilege 4996 Purchase Order.exe
Token: SeDebugPrivilege 3268 jsc.exe

description	pid	process
Token: SeDebugPrivilege	4996	Purchase Order.exe
Token: SeDebugPrivilege	3268	jsc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Purchase Order.exe

description	pid	process	target process
PID 4996 wrote to memory of 4792	4996	Purchase Order.exe	aspnet_regiis.exe
PID 4996 wrote to memory of 4792	4996	Purchase Order.exe	aspnet_regiis.exe
PID 4996 wrote to memory of 536	4996	Purchase Order.exe	RegSvcs.exe
PID 4996 wrote to memory of 536	4996	Purchase Order.exe	RegSvcs.exe
PID 4996 wrote to memory of 4092	4996	Purchase Order.exe	aspnet_state.exe
PID 4996 wrote to memory of 4092	4996	Purchase Order.exe	aspnet_state.exe
PID 4996 wrote to memory of 1260	4996	Purchase Order.exe	InstallUtil.exe
PID 4996 wrote to memory of 1260	4996	Purchase Order.exe	InstallUtil.exe
PID 4996 wrote to memory of 4652	4996	Purchase Order.exe	ngen.exe
PID 4996 wrote to memory of 4652	4996	Purchase Order.exe	ngen.exe
PID 4996 wrote to memory of 540	4996	Purchase Order.exe	csc.exe
PID 4996 wrote to memory of 540	4996	Purchase Order.exe	csc.exe
PID 4996 wrote to memory of 2724	4996	Purchase Order.exe	CasPol.exe
PID 4996 wrote to memory of 2724	4996	Purchase Order.exe	CasPol.exe
PID 4996 wrote to memory of 1152	4996	Purchase Order.exe	ilasm.exe
PID 4996 wrote to memory of 1152	4996	Purchase Order.exe	ilasm.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe
PID 4996 wrote to memory of 3268	4996	Purchase Order.exe	jsc.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:4092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:2724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:1152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3268-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3268-134-0x000000000042A62E-mapping.dmp

Download
memory/3268-137-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/3268-138-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/3268-139-0x0000000006000000-0x0000000006092000-memory.dmp

Filesize
584KB

Download
memory/3268-140-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/3268-141-0x0000000006230000-0x0000000006280000-memory.dmp

Filesize
320KB

Download
memory/3268-142-0x0000000006450000-0x0000000006612000-memory.dmp

Filesize
1.8MB

Download
memory/4996-132-0x00000237A7510000-0x00000237A75AE000-memory.dmp

Filesize
632KB

Download
memory/4996-135-0x00007FFD51160000-0x00007FFD51C21000-memory.dmp

Filesize
10.8MB

Download
memory/4996-136-0x00007FFD51160000-0x00007FFD51C21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads