93b8b69c533e953775c7524f4018960127712b032ac0c59b6b424e5290d4a21c

General

Target

Purchase Order P02144004R.exe
Size

1.2MB
MD5

21d88b2a0f4c4577417d3706c6ffad49
SHA1

51c8e452353941a976ef82eceac69f4387ac57fb
SHA256

9c6536ae2b9588bf5dada49dc918a668a204e0903fc091bf1a5ebaacb9b5559f
SHA512

cae01115160fdfce57b05355b86f82d19855454ea393100d9abe3626a6e7de9e73c2a823a99b267a9f04e6156851f778c4521f58fa12cf9ba495f6e3b398287d
SSDEEP

24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aedDNy/cRcCZic6GSyU0U:YTvC/MTQYxsWR7aeJNhRcCb

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1420	1816	Purchase Order P02144004R.exe	91
PID 1420 set thread context of 1816	1420	Purchase Order P02144004R.exe	87
PID 1420 set thread context of 3876	1420	Purchase Order P02144004R.exe	92
PID 3876 set thread context of 3512	3876	shutdown.exe	57

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	shutdown.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1816	Purchase Order P02144004R.exe
1420	Purchase Order P02144004R.exe
1816	Purchase Order P02144004R.exe
1816	Purchase Order P02144004R.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe
3876	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1420	1816	Purchase Order P02144004R.exe	91
PID 1816 wrote to memory of 1420	1816	Purchase Order P02144004R.exe	91
PID 1816 wrote to memory of 1420	1816	Purchase Order P02144004R.exe	91
PID 1816 wrote to memory of 1420	1816	Purchase Order P02144004R.exe	91
PID 1816 wrote to memory of 3876	1816	Purchase Order P02144004R.exe	92
PID 1816 wrote to memory of 3876	1816	Purchase Order P02144004R.exe	92
PID 1816 wrote to memory of 3876	1816	Purchase Order P02144004R.exe	92
PID 3876 wrote to memory of 408	3876	shutdown.exe	101
PID 3876 wrote to memory of 408	3876	shutdown.exe	101
PID 3876 wrote to memory of 408	3876	shutdown.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3512
- C:\Users\Admin\AppData\Local\Temp\Purchase Order P02144004R.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order P02144004R.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order P02144004R.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order P02144004R.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1420
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\SysWOW64\shutdown.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut9AE3.tmp

Filesize
250KB

MD5
9eefc84e8f98f42f06380d8df3caa12c

SHA1
0c9964a32f0dbed5c6b0e8481348ddb4aa7e3576

SHA256
2e9dffced9ea3b08cba06fff854aa96659449cc737d70ae6519d0b10936c5015

SHA512
f537d546381cae0375a2414af441c7e73d3474470988a00bdddf55b4f33e3cdbcb463a41b87e5bbbbff8237bcd609dd6083baaacada06903648e61488cdd4e01

Download Submit
memory/1420-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1420-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1420-14-0x0000000001A80000-0x0000000001DCA000-memory.dmp

Filesize
3.3MB

Download
memory/1816-12-0x0000000002140000-0x0000000002144000-memory.dmp

Filesize
16KB

Download
memory/3512-26-0x0000000008470000-0x0000000008548000-memory.dmp

Filesize
864KB

Download
memory/3512-24-0x0000000008470000-0x0000000008548000-memory.dmp

Filesize
864KB

Download
memory/3512-23-0x0000000008470000-0x0000000008548000-memory.dmp

Filesize
864KB

Download
memory/3876-19-0x0000000000780000-0x00000000007BB000-memory.dmp

Filesize
236KB

Download
memory/3876-20-0x00000000010A0000-0x000000000113D000-memory.dmp

Filesize
628KB

Download
memory/3876-21-0x0000000000780000-0x00000000007BB000-memory.dmp

Filesize
236KB

Download
memory/3876-22-0x00000000010A0000-0x000000000113D000-memory.dmp

Filesize
628KB

Download
memory/3876-18-0x0000000001170000-0x00000000014BA000-memory.dmp

Filesize
3.3MB

Download
memory/3876-16-0x0000000000780000-0x00000000007BB000-memory.dmp

Filesize
236KB

Download
memory/3876-15-0x0000000000780000-0x00000000007BB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing