Play interactive tour

Edit tour

Analysis Report NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Overview

General Information

Sample Name:	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Analysis ID:	344914
MD5:	6ac388bc55e9b10f193b3e0bc0ff4af6
SHA1:	c3c2e865b6b41ad7af8108efce76f1623e9b248e
SHA256:	b813d2ed2581e4e3a454152e2dbd93c522583e4274d0523c8e3d424d9d192342
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Classification

Startup

System is w10x64

NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe (PID: 6032 cmdline: 'C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe' MD5: 6AC388BC55E9B10F193B3E0BC0FF4AF6)

schtasks.exe (PID: 4684 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe (PID: 5052 cmdline: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe MD5: 6AC388BC55E9B10F193B3E0BC0FF4AF6)

NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe (PID: 4364 cmdline: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe MD5: 6AC388BC55E9B10F193B3E0BC0FF4AF6)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.219247674.0000000003DD1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.218970499.0000000002DD1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe' , ParentImage: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, ParentProcessId: 6032, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp', ProcessId: 4684

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe	Virustotal: Detection: 31%			Perma Link
Source: C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Show sources

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Virustotal: Detection: 31%			Perma Link
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_0586D820

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49747 -> 104.194.10.93:21
Source: Traffic	Snort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.3:49748 -> 104.194.10.93:52972

Source: global traffic

TCP traffic: 192.168.2.3:49748 -> 104.194.10.93:52972

Source: Joe Sandbox View

ASN Name: RELIABLESITEUS RELIABLESITEUS

Source: unknown

FTP traffic detected: 104.194.10.93:21 -> 192.168.2.3:49747 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

DNS traffic detected: queries for: ftp.softg.com.ng

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.218970499.0000000002DD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_02D4C2B0	0_2_02D4C2B0
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_02D49990	0_2_02D49990
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_0586E058	0_2_0586E058
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_05867140	0_2_05867140
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_0586303D	0_2_0586303D
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_05860C80	0_2_05860C80
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_05860C90	0_2_05860C90
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_05860A28	0_2_05860A28
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Code function: 0_2_05860A38	0_2_05860A38

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.222377982.00000000062C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.222715103.0000000006A90000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.222715103.0000000006A90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.218330386.0000000000A12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLCIDConversionAttribute.exeT vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIzarxtdbJVYlVEUNzzEAImEVZLzfzC.exe4 vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.218998288.0000000002E14000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.222558063.0000000006990000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000003.00000002.215737906.0000000000392000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLCIDConversionAttribute.exeT vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000004.00000000.217085041.0000000000FC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLCIDConversionAttribute.exeT vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Binary or memory string: OriginalFilenameLCIDConversionAttribute.exeT vs NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wcJYGOnzoz.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/5@1/1

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File created: C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\wdLfldoNVrACd

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6100.tmp

Jump to behavior

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Virustotal: Detection: 31%
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File read: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe 'C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.67475810691
Source: initial sample	Static PE information: section name: .text entropy: 7.67475810691

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File created: \new urgent purchase order product list sheet 003847 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File created: \new urgent purchase order product list sheet 003847 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File created: \new urgent purchase order product list sheet 003847 pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File created: C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218970499.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Window / User API: threadDelayed 3458			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Window / User API: threadDelayed 6342			Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 2792	Thread sleep time: -51025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 3088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 5336	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 5600	Thread sleep count: 3458 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 5600	Thread sleep count: 6342 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe TID: 5336	Thread sleep count: 44 > 30	Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Process created: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.219247674.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.219247674.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection11	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Alternative Protocol1	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Obfuscated Files or Information2	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing2	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion14	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection11	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	32%	Virustotal		Browse
NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	13%	ReversingLabs	Win32.Trojan.Pwsx
NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe	32%	Virustotal		Browse
C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe	13%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ftp.softg.com.ng	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.softg.com.ng	104.194.10.93	true	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.218970499.0000000002DD1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe, 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.194.10.93	unknown	United States		23470	RELIABLESITEUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344914
Start date:	27.01.2021
Start time:	13:08:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/5@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 13 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 51.11.168.160, 23.210.248.85, 95.101.22.224, 95.101.22.216, 20.54.26.129, 205.185.216.42, 205.185.216.10, 51.103.5.159, 51.104.139.180, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:09:50	API Interceptor	1184x Sleep call for process: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.194.10.93	Swift Bank Copy #156065.pdf.exe	Get hash	malicious	Browse
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ftp.softg.com.ng	Swift Bank Copy #156065.pdf.exe	Get hash	malicious	Browse	104.194.10.93
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse	104.194.10.93
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse	104.194.10.93
	New Order.exe	Get hash	malicious	Browse	104.194.10.93

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RELIABLESITEUS	Swift Bank Copy #156065.pdf.exe	Get hash	malicious	Browse	104.194.10.93
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse	104.194.10.93
	roboforex4multisetup.exe	Get hash	malicious	Browse	206.221.189.58
	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe	Get hash	malicious	Browse	104.194.10.93
	gPGTcEMoM1.exe	Get hash	malicious	Browse	104.238.220.186
	XefNI6CwkP.exe	Get hash	malicious	Browse	45.58.112.77
	fortrade4setup.exe	Get hash	malicious	Browse	206.221.189.58
	dir2.exe	Get hash	malicious	Browse	104.238.220.186
	dir1.exe	Get hash	malicious	Browse	104.238.220.186
	#Ud83d#Udcde natasa.macovei@colt.net @ 1229 PM 1229 PM.pff.HTM	Get hash	malicious	Browse	172.96.140.18
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	104.194.8.194
	2021 Additional Agreement.exe	Get hash	malicious	Browse	104.238.220.186
	ps.dll	Get hash	malicious	Browse	104.194.10.55
	tesla.exe	Get hash	malicious	Browse	45.126.209.154
	Changebookingdate.exe	Get hash	malicious	Browse	45.126.209.154
	https://fdkl5.csb.app/	Get hash	malicious	Browse	45.58.124.226
	https://shocking-foregoing-driver.glitch.me	Get hash	malicious	Browse	45.58.124.226
	New Order.exe	Get hash	malicious	Browse	104.194.10.93
	012018.exe	Get hash	malicious	Browse	104.243.45.190
	Copy_C6AC.doc	Get hash	malicious	Browse	45.126.209.154

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe.log Download File
Process:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1400
Entropy (8bit):	5.344635889251176
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEg:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHV
MD5:	394E646B019FF472CE37EE76A647A27F
SHA1:	BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA
SHA-256:	2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A
SHA-512:	7E95510C85262998AECC9A06A73A5BF6352304AF6EE143EC7E48A17473773F33A96A2F4146446444789B8BCC9B83372A227DC89C3D326A2E142BCA1E1A9B4809
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp6100.tmp Download File
Process:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	5.195182470319441
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBcGNtn:cbh47TlNQ//rydbz9I3YODOLNdq33
MD5:	ADEE0252C1A3D7ED8D4CB921540B6F23
SHA1:	4D56F7BC41FC5E4FE77CBBB918438F3F94106A0D
SHA-256:	F7BB8C231A66C342AFC46F0548E6566C64C5B303A2697AD75C35898B098AB4F2
SHA-512:	0C33F4A493DDA164AAC9F7D72DDA95BEBD6CA3507A7DDAE21E30B32011932812AA18AF9DC4810DC560DD0AB63F2A5C58C626F2FDFE881DA4149944F79A7CE924
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\5vmcphy5.4qk\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe Download File
Process:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1047040
Entropy (8bit):	7.618993069202847
Encrypted:	false
SSDEEP:	12288:6Uv/K5l68aT0CEaZtyakQ/wuBYPsIoHb+nlzZsWsE2SfnGLf/VwbN4+vtE+LtZ/W:9v/K5l68aT8aknsGoE2SOLlwqYTfV
MD5:	6AC388BC55E9B10F193B3E0BC0FF4AF6
SHA1:	C3C2E865B6B41AD7AF8108EFCE76F1623E9B248E
SHA-256:	B813D2ED2581E4E3A454152E2DBD93C522583E4274D0523C8E3D424D9D192342
SHA-512:	0D55B2EDD43412143F38BAD132C3A3A2219610C874B0C2CD4F293CB1692D6FA7283DECAD76FD0AE3B00C4596454A389C454FBF5F0E5B73AD8F88E22F7FA591A5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 13%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ... ....@.. .......................`............@.................................<...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................p.......H........C...\...............d...........................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....op...(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+..&..(1.......0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

C:\Users\user\AppData\Roaming\wcJYGOnzoz.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.618993069202847
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
File size:	1047040
MD5:	6ac388bc55e9b10f193b3e0bc0ff4af6
SHA1:	c3c2e865b6b41ad7af8108efce76f1623e9b248e
SHA256:	b813d2ed2581e4e3a454152e2dbd93c522583e4274d0523c8e3d424d9d192342
SHA512:	0d55b2edd43412143f38bad132c3a3a2219610c874b0c2cd4f293cb1692d6fa7283decad76fd0ae3b00c4596454a389c454fbf5f0e5b73ad8f88e22f7fa591a5
SSDEEP:	12288:6Uv/K5l68aT0CEaZtyakQ/wuBYPsIoHb+nlzZsWsE2SfnGLf/VwbN4+vtE+LtZ/W:9v/K5l68aT8aknsGoE2SOLlwqYTfV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	92929e929e9e8ee2

Static PE Info

General
Entrypoint:	0x4f048e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x601102C5 [Wed Jan 27 06:05:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf043c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x10f8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xee494	0xee600	False	0.777965431633	data	7.67475810691	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x10f8c	0x11000	False	0.177418428309	data	5.41082924128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf2130	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512
RT_GROUP_ICON	0x102958	0x14	data
RT_VERSION	0x10296c	0x434	data
RT_MANIFEST	0x102da0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	2021 (C) AuditFlags International
Assembly Version	11.84.0.0
InternalName	LCIDConversionAttribute.exe
FileVersion	11.84.0.0
CompanyName	AuditFlags International
LegalTrademarks	AuditFlags
Comments	Non Versionable Attribute
ProductName	Non Versionable Attribute
ProductVersion	11.84.0.0
FileDescription	Non Versionable Attribute
OriginalFilename	LCIDConversionAttribute.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-13:11:36.340839	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49747	21	192.168.2.3	104.194.10.93
01/27/21-13:11:36.474169	TCP	2029928	ET TROJAN AgentTesla HTML System Info Report Exfil via FTP	49748	52972	192.168.2.3	104.194.10.93

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 13:11:35.085513115 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.213593006 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.213752031 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.343816996 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.345099926 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.472048044 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.472098112 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.472773075 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.641906023 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.686135054 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.686456919 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.813783884 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.813811064 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.814070940 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:35.941620111 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:35.942395926 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.069355965 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.069767952 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.197118044 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.200633049 CET	49748	52972	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.241496086 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.340318918 CET	52972	49748	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.340486050 CET	49748	52972	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.340838909 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.469507933 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.474169016 CET	49748	52972	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.475358963 CET	49748	52972	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.522949934 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.602929115 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.613097906 CET	52972	49748	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.614379883 CET	52972	49748	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:36.614541054 CET	49748	52972	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:36.647816896 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.340321064 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.469654083 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.470866919 CET	49749	62110	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.522872925 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.602408886 CET	62110	49749	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.602633953 CET	49749	62110	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.602966070 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.732239008 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.733433008 CET	49749	62110	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.733495951 CET	49749	62110	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.772897959 CET	49747	21	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.865151882 CET	62110	49749	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.865200043 CET	62110	49749	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.865230083 CET	21	49747	104.194.10.93	192.168.2.3
Jan 27, 2021 13:11:37.865267038 CET	49749	62110	192.168.2.3	104.194.10.93
Jan 27, 2021 13:11:37.913544893 CET	49747	21	192.168.2.3	104.194.10.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 13:09:43.696324110 CET	58361	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:43.744245052 CET	53	58361	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:44.657226086 CET	63492	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:44.708415031 CET	53	63492	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:45.613053083 CET	60831	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:45.663837910 CET	53	60831	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:46.983957052 CET	60100	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:47.037990093 CET	53	60100	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:48.398194075 CET	53195	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:48.448151112 CET	53	53195	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:49.714911938 CET	50141	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:49.765640020 CET	53	50141	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:50.927064896 CET	53023	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:50.977127075 CET	53	53023	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:51.875458002 CET	49563	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:51.923460960 CET	53	49563	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:53.004487038 CET	51352	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:53.063175917 CET	53	51352	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:54.353805065 CET	59349	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:54.403966904 CET	53	59349	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:55.412123919 CET	57084	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:55.469188929 CET	53	57084	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:56.404776096 CET	58823	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:56.452795029 CET	53	58823	8.8.8.8	192.168.2.3
Jan 27, 2021 13:09:57.370848894 CET	57568	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:09:57.420466900 CET	53	57568	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:11.790249109 CET	50540	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:11.842590094 CET	53	50540	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:16.369446039 CET	54366	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:16.432280064 CET	53	54366	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:22.367731094 CET	53034	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:22.427658081 CET	53	53034	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:32.740448952 CET	57762	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:32.813951015 CET	53	57762	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:32.843992949 CET	55435	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:32.893315077 CET	53	55435	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:34.375591993 CET	50713	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:34.426392078 CET	53	50713	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:37.813103914 CET	56132	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:37.873816013 CET	53	56132	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:39.467014074 CET	58987	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:39.515470982 CET	53	58987	8.8.8.8	192.168.2.3
Jan 27, 2021 13:10:40.021414995 CET	56579	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:10:40.086673975 CET	53	56579	8.8.8.8	192.168.2.3
Jan 27, 2021 13:11:17.730375051 CET	60633	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:11:18.723169088 CET	53	60633	8.8.8.8	192.168.2.3
Jan 27, 2021 13:11:34.787712097 CET	61292	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:11:34.965647936 CET	53	61292	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:35.638895988 CET	63619	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:35.697612047 CET	53	63619	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:36.330755949 CET	64938	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:36.389739990 CET	53	64938	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:37.556020021 CET	61946	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:37.618256092 CET	53	61946	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:38.274713993 CET	64910	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:38.334306002 CET	53	64910	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:38.893723965 CET	52123	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:38.953238964 CET	53	52123	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:39.670677900 CET	56130	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:39.730005980 CET	53	56130	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:40.632364035 CET	56338	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:40.696209908 CET	53	56338	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:41.681993008 CET	59420	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:41.744244099 CET	53	59420	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:43.102271080 CET	58784	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:43.166619062 CET	53	58784	8.8.8.8	192.168.2.3
Jan 27, 2021 13:12:43.747852087 CET	63978	53	192.168.2.3	8.8.8.8
Jan 27, 2021 13:12:43.804404020 CET	53	63978	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 13:11:34.787712097 CET	192.168.2.3	8.8.8.8	0xe293	Standard query (0)	ftp.softg.com.ng	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 13:11:34.965647936 CET	8.8.8.8	192.168.2.3	0xe293	No error (0)	ftp.softg.com.ng		104.194.10.93	A (IP address)	IN (0x0001)

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 13:11:35.343816996 CET	21	49747	104.194.10.93	192.168.2.3	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 07:11. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 27, 2021 13:11:35.345099926 CET	49747	21	192.168.2.3	104.194.10.93	USER ogd@blessedxmhk.com.ng
Jan 27, 2021 13:11:35.472098112 CET	21	49747	104.194.10.93	192.168.2.3	331 User ogd@blessedxmhk.com.ng OK. Password required
Jan 27, 2021 13:11:35.472773075 CET	49747	21	192.168.2.3	104.194.10.93	PASS wealth@123455@@
Jan 27, 2021 13:11:35.686135054 CET	21	49747	104.194.10.93	192.168.2.3	230 OK. Current restricted directory is /
Jan 27, 2021 13:11:35.813811064 CET	21	49747	104.194.10.93	192.168.2.3	504 Unknown command
Jan 27, 2021 13:11:35.814070940 CET	49747	21	192.168.2.3	104.194.10.93	PWD
Jan 27, 2021 13:11:35.941620111 CET	21	49747	104.194.10.93	192.168.2.3	257 "/" is your current location
Jan 27, 2021 13:11:35.942395926 CET	49747	21	192.168.2.3	104.194.10.93	TYPE I
Jan 27, 2021 13:11:36.069355965 CET	21	49747	104.194.10.93	192.168.2.3	200 TYPE is now 8-bit binary
Jan 27, 2021 13:11:36.069767952 CET	49747	21	192.168.2.3	104.194.10.93	PASV
Jan 27, 2021 13:11:36.197118044 CET	21	49747	104.194.10.93	192.168.2.3	227 Entering Passive Mode (104,194,10,93,206,236)
Jan 27, 2021 13:11:36.340838909 CET	49747	21	192.168.2.3	104.194.10.93	STOR PW_user-960781_2021_01_27_16_10_24.html
Jan 27, 2021 13:11:36.469507933 CET	21	49747	104.194.10.93	192.168.2.3	150 Accepted data connection
Jan 27, 2021 13:11:36.602929115 CET	21	49747	104.194.10.93	192.168.2.3	226-File successfully transferred 226-File successfully transferred226 0.133 seconds (measured here), 3.28 Kbytes per second
Jan 27, 2021 13:11:37.340321064 CET	49747	21	192.168.2.3	104.194.10.93	PASV
Jan 27, 2021 13:11:37.469654083 CET	21	49747	104.194.10.93	192.168.2.3	227 Entering Passive Mode (104,194,10,93,242,158)
Jan 27, 2021 13:11:37.602966070 CET	49747	21	192.168.2.3	104.194.10.93	STOR CO_user-960781_2021_01_27_16_10_59.zip
Jan 27, 2021 13:11:37.732239008 CET	21	49747	104.194.10.93	192.168.2.3	150 Accepted data connection
Jan 27, 2021 13:11:37.865230083 CET	21	49747	104.194.10.93	192.168.2.3	226-File successfully transferred 226-File successfully transferred226 0.131 seconds (measured here), 9.84 Kbytes per second

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032 Parent PID: 5612

General

Start time:	13:09:49
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe'
Imagebase:	0x920000
File size:	1047040 bytes
MD5 hash:	6AC388BC55E9B10F193B3E0BC0FF4AF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.219247674.0000000003DD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.219337362.0000000003EC4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.219031171.0000000002E55000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.218970499.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4684 Parent PID: 6032

General

Start time:	13:09:52
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\wcJYGOnzoz' /XML 'C:\Users\user\AppData\Local\Temp\tmp6100.tmp'
Imagebase:	0x1350000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4564 Parent PID: 4684

General

Start time:	13:09:52
Start date:	27/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 5052 Parent PID: 6032

General

Start time:	13:09:53
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Imagebase:	0x2a0000
File size:	1047040 bytes
MD5 hash:	6AC388BC55E9B10F193B3E0BC0FF4AF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 4364 Parent PID: 6032

General

Start time:	13:09:53
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe
Imagebase:	0xed0000
File size:	1047040 bytes
MD5 hash:	6AC388BC55E9B10F193B3E0BC0FF4AF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe PID: 6032 Parent PID: 5612 NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exeCOMMON

Executed Functions

Function 0586E058, Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cd4ff1e98837aed795d735ddec32d9ec64ea5831587e2c6adc24d90f565d3e
Instruction ID: d42f5bde99f0e667fbb9e08f293a49582947792f966248565819206e45c84fc9
Opcode Fuzzy Hash: 70cd4ff1e98837aed795d735ddec32d9ec64ea5831587e2c6adc24d90f565d3e
Instruction Fuzzy Hash: DD328734B012049FDB25DB6AC464BABB7FBAF88704F244469E906DB390DB35ED05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D4DBE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D4DD8A

Strings

Zk&6, xrefs: 02D4DCA6
Zk&6, xrefs: 02D4DCC6

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: CreateWindow
String ID: Zk&6$Zk&6
API String ID: 716092398-716038083
Opcode ID: 6abf4c939e31db2985ed634d7b0a053ca187798b18217d703e8270043e4cf0b8
Instruction ID: 896695c3e89990709657c7eb8fffc65ea770f15a8e7a0bb41236fd0c68b47ec3
Opcode Fuzzy Hash: 6abf4c939e31db2985ed634d7b0a053ca187798b18217d703e8270043e4cf0b8
Instruction Fuzzy Hash: 376102B1C04348AFCF12CFA9C994ADDBFB2BF49304F19815AE918AB221D7749945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B214, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D4DD8A

Strings

Zk&6, xrefs: 02D4DCA6
Zk&6, xrefs: 02D4DCC6

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: CreateWindow
String ID: Zk&6$Zk&6
API String ID: 716092398-716038083
Opcode ID: 5f7d4deb96fa06fb728ca2ec576302f00502109e36f12e39693825ed464922bc
Instruction ID: 66be9f6e6f8fb02bcdf318ad1c679f816bb1fc003e880167d597f046ca64f93b
Opcode Fuzzy Hash: 5f7d4deb96fa06fb728ca2ec576302f00502109e36f12e39693825ed464922bc
Instruction Fuzzy Hash: 2551B0B1D00309DFDB14CF99C984ADEBBB6BF49314F24812AE819AB310DB749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D4BBB8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02D4BE0E

Strings

Zk&6, xrefs: 02D4BDC7

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: HandleModule
String ID: Zk&6
API String ID: 4139908857-3440509606
Opcode ID: a6c71e4b26b1da8d564f5f7dadf903ab096e2e30999b7dfd1a4203dadb98a12f
Instruction ID: 0e10508d1a3736e48981defd1353cef616ae9e5448d1be49caff6bf14706ee0e
Opcode Fuzzy Hash: a6c71e4b26b1da8d564f5f7dadf903ab096e2e30999b7dfd1a4203dadb98a12f
Instruction Fuzzy Hash: AE712370A00B058FD724DF2AD48179ABBF1FF88208F00892AD596D7B40DB35E946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D46D41, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D46E3F

Strings

Zk&6, xrefs: 02D46DD7

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: Zk&6
API String ID: 3793708945-3440509606
Opcode ID: 15d1cb7b81697ffb3126cbe63684b9e1f6599084ce7f13c3f7281db71213c5c7
Instruction ID: c55c2ef8416afb940432f35f7a168aa8f83402b4059684919560914d647bedd1
Opcode Fuzzy Hash: 15d1cb7b81697ffb3126cbe63684b9e1f6599084ce7f13c3f7281db71213c5c7
Instruction Fuzzy Hash: A9414676900258AFCB01CF99D844AEEBFF9EF49320F04801AEA14A7351D779E954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D46DB0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D46E3F

Strings

Zk&6, xrefs: 02D46DD7

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: Zk&6
API String ID: 3793708945-3440509606
Opcode ID: ffeda7d8d2de853f5cee9e14a862826e1b289fcee04a1401c47c30d2ade3a25a
Instruction ID: 2202ea3bc1b29034c3fe6e3de95fb575697f9637b7e36e3fd2d66ee737f7c0fd
Opcode Fuzzy Hash: ffeda7d8d2de853f5cee9e14a862826e1b289fcee04a1401c47c30d2ade3a25a
Instruction Fuzzy Hash: 7321E6B59002589FDB10CF99D984ADEBBF8FF48314F15801AE914B7310D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D46DB8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D46E3F

Strings

Zk&6, xrefs: 02D46DD7

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: Zk&6
API String ID: 3793708945-3440509606
Opcode ID: 5f9dbb939c6296139ab774629efbf74fdd5cd361dac242ea69c0773e5f24f1c9
Instruction ID: 189977b1af69f018f8704c44397013ef69d096e64f8818d37582b76e4231406c
Opcode Fuzzy Hash: 5f9dbb939c6296139ab774629efbf74fdd5cd361dac242ea69c0773e5f24f1c9
Instruction Fuzzy Hash: A321D5B5D002489FDB10CFA9D984ADEBBF8FB49324F14841AE915B7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4B0D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D4BE89,00000800,00000000,00000000), ref: 02D4C09A

Strings

Zk&6, xrefs: 02D4C04F

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: Zk&6
API String ID: 1029625771-3440509606
Opcode ID: 9dfad80ced5d66c8345bd11667997591fa44b2f45374bfe72621c6a912c8608b
Instruction ID: 6989bdb452e956ebe9d4429b0c065f174197dc38db812e5b7f7223af19e5ff91
Opcode Fuzzy Hash: 9dfad80ced5d66c8345bd11667997591fa44b2f45374bfe72621c6a912c8608b
Instruction Fuzzy Hash: 8A1103B29012088FCB20CF9AD844BDEBBF4EB48314F10842AE919B7700C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C028, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D4BE89,00000800,00000000,00000000), ref: 02D4C09A

Strings

Zk&6, xrefs: 02D4C04F

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: Zk&6
API String ID: 1029625771-3440509606
Opcode ID: e354533f42690d2bbfd91c90d275906a1f5046dcb093cf4d88cd88277ffadb07
Instruction ID: 40cf2e625d8b85d71cb48851d3cb0fdc942b5412b34565b92cf41923eb6fa5a9
Opcode Fuzzy Hash: e354533f42690d2bbfd91c90d275906a1f5046dcb093cf4d88cd88277ffadb07
Instruction Fuzzy Hash: 361100B69002098FCB10CFAAC544BDEFBF4AB48314F15852AD929AB600C775A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0586E968, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 0586E9C0

Strings

Zk&6, xrefs: 0586E982

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID: Zk&6
API String ID: 2591292051-3440509606
Opcode ID: b79ce73207849a6b37d6574f8bebec58192826b2782b75179ba375a777ad1a85
Instruction ID: 8dfca1db9726e60621c80997ca9faa35135913c32766fdc888eae12ffbe0906d
Opcode Fuzzy Hash: b79ce73207849a6b37d6574f8bebec58192826b2782b75179ba375a777ad1a85
Instruction Fuzzy Hash: 531145B58006098FCB20DF99C444BDEBBF4FF48324F10842AD968A7740D738A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4BDA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02D4BE0E

Strings

Zk&6, xrefs: 02D4BDC7

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: HandleModule
String ID: Zk&6
API String ID: 4139908857-3440509606
Opcode ID: 04c92e6430933b8297404fc856f0513ee122546882bc1e94fa549c9ac5a733ac
Instruction ID: 3c60943586b718282927b83558453a3d312acf361c0b8e210949fa3f4bf05aaf
Opcode Fuzzy Hash: 04c92e6430933b8297404fc856f0513ee122546882bc1e94fa549c9ac5a733ac
Instruction Fuzzy Hash: 1611DFB6D006498FDB10CF9AC444ADEFBF4EB88328F15846AD929A7700D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4DEC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02D4DF1D

Strings

Zk&6, xrefs: 02D4DEDA

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: LongWindow
String ID: Zk&6
API String ID: 1378638983-3440509606
Opcode ID: 3f01431ad74bb85e829038a4394b02d89a4a769ad99acb1512f8bec948e1926e
Instruction ID: 3bf1068a9785861dffbcaeece4edd413b57c14e38a43f4c204d2c0cb0e8f7cd5
Opcode Fuzzy Hash: 3f01431ad74bb85e829038a4394b02d89a4a769ad99acb1512f8bec948e1926e
Instruction Fuzzy Hash: F811E2B59002499FDB20CF9AD584BDEBBF8EB48324F10855AE919B7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D4DEB9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02D4DF1D

Strings

Zk&6, xrefs: 02D4DEDA

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID: LongWindow
String ID: Zk&6
API String ID: 1378638983-3440509606
Opcode ID: 7be3fefeaa3afadf9264ff884bb1885ec09069fe09e1f9631d382cd292cbd1a6
Instruction ID: 1909f5991a49ed5eb0141442331a18dc9d29a8712d9682621434518e40ff4259
Opcode Fuzzy Hash: 7be3fefeaa3afadf9264ff884bb1885ec09069fe09e1f9631d382cd292cbd1a6
Instruction Fuzzy Hash: 501100B69002498FDB10CF99D584BDEBBF4EB48324F14855AE919A7740C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0586303D, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

?, xrefs: 058633A0

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 7a6b649ca25320b90388f8e1589a68f451edc7ed870aa6c117a7e6308a8dfc43
Instruction ID: c1a1dc11cfcacd6494baf298f86e5e43a6b601ae9ffd4e0f750a04eee57a20f6
Opcode Fuzzy Hash: 7a6b649ca25320b90388f8e1589a68f451edc7ed870aa6c117a7e6308a8dfc43
Instruction Fuzzy Hash: CCB19EB0D5462ECBDB64DF69C980B9DBBF5FB88204F0081E5D55CA6206EB309E95CF48

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640f9f95468df1ec2cbe904071627e7587cc6450d8239894f28cecd31de18b37
Instruction ID: df640f31d67dca2b701e19e70c4a953c544afb1c051d55b80849c58586bc728e
Opcode Fuzzy Hash: 640f9f95468df1ec2cbe904071627e7587cc6450d8239894f28cecd31de18b37
Instruction Fuzzy Hash: B05286B1985706CBD712CF14F8A82997BB1FB46328FD04A09C1616BBD0D7B46D6ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 02D49990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.218861835.0000000002D40000.00000040.00000001.sdmp, Offset: 02D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09eddf5917c25dde554c73c90637807874b871590c78feef8e0e42a4b7d636e
Instruction ID: fc2e18575606a5132f54cff7e412b706592959965980122b06ce0108cccd02dc
Opcode Fuzzy Hash: d09eddf5917c25dde554c73c90637807874b871590c78feef8e0e42a4b7d636e
Instruction Fuzzy Hash: 00A14836E006198FCF05DFA5C8545DEBBB2FF85308B15856AE805AB321EB71ED15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05867140, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cbf1e5b6a702d7900ef2fa3ad6a717e4fcf99f72c81cf3a6cc50c286633206
Instruction ID: 094a4dd7acc0c74add1f5b6c34d74a5ac8a9cee15ffc1793eebbce9ca39e6512
Opcode Fuzzy Hash: b6cbf1e5b6a702d7900ef2fa3ad6a717e4fcf99f72c81cf3a6cc50c286633206
Instruction Fuzzy Hash: F1A1F274E04248CFDB04DFE9C584AAEBBF6FB48318F249129E815EB344DB749985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05860A28, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d615e54216c13068ee8bb895dc649a12c5f88d0a74b1ba88e128a141b6f67d9
Instruction ID: ff79431fb07b90e3afd2f0c2c16df5616d9755e4bdd2facccd125e4fc6416a97
Opcode Fuzzy Hash: 0d615e54216c13068ee8bb895dc649a12c5f88d0a74b1ba88e128a141b6f67d9
Instruction Fuzzy Hash: A2519F71A262488FCB45EFB9E84269E7BF6EB84304F04C829E1049B324DF755D45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05860A38, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5088920bf3db8abe63a388d3794f7c408b832bb3192fe61da385e25946993a2b
Instruction ID: e2d66c418835a771d49fa56fadc3f435584f097462507d26bb3ccd9b74f85e33
Opcode Fuzzy Hash: 5088920bf3db8abe63a388d3794f7c408b832bb3192fe61da385e25946993a2b
Instruction Fuzzy Hash: CB519E71E262488FCB45EFB9E84169E7BF6EB88304F00C829E1049B324EF755D45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05860C90, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d28f4dbd2cc69c17a7ebaa14960d4b367479c8a16c00c6c619e2f14f2abf17
Instruction ID: 1cf573b0b5cc8fb676b83cbb14df2d3be8e2a675aeb98d1ba1c86430c3d2d931
Opcode Fuzzy Hash: b1d28f4dbd2cc69c17a7ebaa14960d4b367479c8a16c00c6c619e2f14f2abf17
Instruction Fuzzy Hash: 1D4143B1E056588BEB5CCF6B8C4468EFAF7AFC9300F14C5BA890DAA215EB7009458F15

Uniqueness

Uniqueness Score: -1.00%

Function 05860C80, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e908e1f537a950ea3e4c2779421bd67fd58282b0e3a475e6f371b6b0988d388
Instruction ID: f64b9d6ff56307f968a172194f389c9b2b8f757bd563083f4f55a07e4d6b3ff2
Opcode Fuzzy Hash: 0e908e1f537a950ea3e4c2779421bd67fd58282b0e3a475e6f371b6b0988d388
Instruction Fuzzy Hash: B54158B1E056588BEB5CCF6B8C4568EFAF7BFC9310F14C5BAC90CAA215DB7009468E15

Uniqueness

Uniqueness Score: -1.00%

Function 0586D820, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222314432.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bd7d2c13fcd68d5e49b7e5b07ec6cfb103f2ccf0932e8e89732eb73ebdc052
Instruction ID: 0262613b6e4a645c2d861b96cc701ccab2c4bc1d39234c90c74b959b2eddfd76
Opcode Fuzzy Hash: 27bd7d2c13fcd68d5e49b7e5b07ec6cfb103f2ccf0932e8e89732eb73ebdc052
Instruction Fuzzy Hash: F5115A70E0A2188BDB14CFA5C419BEDBBF1BB4E305F149869D815B3290C7788944CF68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NEW URGENT PURCHASE ORDER PRODUCT LIST SHEET 003847 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

FTP Packets

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre