Overview

overview

7

Static

static

1

Purchase order.exe

windows7-x64

7

Purchase order.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order.exe

  • Size

    999KB

  • MD5

    8b86d7ad6a13d66a9263717b18fa245a

  • SHA1

    58d6abd4cdf878a0931e6d63dd870bf73110cd76

  • SHA256

    215948dfb7ffb349f7d3f0ed5ebdd3517d530c8c14833c62bf0152e8a31811a3

  • SHA512

    46391ed81e96b737a92fc75bb62f881516dba2d13ea86f376e30e6b574ffd47ec3d6cb597c7e603d87fa50fd9b3aa5cc63aaaeca142db6f095389c7533d4c77d

  • SSDEEP

    24576:51rgWuuJ/Gmz4ai4z3avWBdwwrkEPQSiLDi9:5uuJ/sai4zqvWBdtr94SgO

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
        "{path}"
        3⤵
          PID:1280
        • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
          "{path}"
          3⤵
            PID:1768
          • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
            "{path}"
            3⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1084

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\sqlite3.dll
          Filesize

          831KB

          MD5

          f4d8be409d1bd016a7b3b2580a2b90fb

          SHA1

          a68e1f6a9b2234f2269d9cf1fbda94124c428dbe

          SHA256

          d70b27121bb33012560b14a7bd597666d76193d7dc5f89e2ac5e7507240bf708

          SHA512

          9892cd38d77898fe7916a8810c82a377bbcb4f0c3f75a8295943fa29a5cb4daec95a1600a74614f31ec723967fd95721174042f2e54b12e52fe85202cdf052df

          Download Submit

        • memory/980-73-0x0000000002140000-0x00000000021CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/980-72-0x0000000000A20000-0x0000000000D23000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/980-70-0x0000000000D30000-0x0000000000D3D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/980-71-0x0000000000080000-0x00000000000AD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1112-56-0x00000000003C0000-0x00000000003CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1112-57-0x0000000005080000-0x000000000510C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/1112-58-0x00000000021B0000-0x00000000021E6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1112-54-0x0000000000170000-0x0000000000270000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1112-55-0x0000000076031000-0x0000000076033000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-76-0x0000000005050000-0x0000000005110000-memory.dmp

          Filesize

          768KB

          Download

        • memory/1284-74-0x0000000005050000-0x0000000005110000-memory.dmp

          Filesize

          768KB

          Download

        • memory/1284-68-0x00000000041C0000-0x0000000004275000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1788-59-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1788-66-0x0000000000870000-0x0000000000B73000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1788-67-0x00000000002C0000-0x00000000002D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1788-65-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1788-64-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1788-62-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1788-60-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download