Analysis Report PURCHASE ORDER.exe

Overview

General Information

Sample Name: PURCHASE ORDER.exe
Analysis ID: 412574
MD5: 3dbed8889c9e0709d9d5b9df08d5eabf
SHA1: 55e331a1169b7f8773c0a2332e85c73322477831
SHA256: a10213876dda124a602a41a9b947e66ed8ad7e330b76596bdb0ab00b435aaded
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ghulam.sarwar@dadabhoy.edu.pkDadabhoy.456mail.dadabhoy.edu.pkmarsspace454@yandex.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\GNBVBDzQwHiY.exe ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER.exe Virustotal: Detection: 21% Perma Link
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\GNBVBDzQwHiY.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PURCHASE ORDER.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.PURCHASE ORDER.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: PURCHASE ORDER.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: PURCHASE ORDER.exe, 00000000.00000002.239873716.00000000053A0000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000004.00000002.505195502.0000000005F10000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_062D1E00
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_062D1DF0

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49724 -> 72.18.132.146:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 72.18.132.146 72.18.132.146
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WEHOSTWEBSITES-COMUS WEHOSTWEBSITES-COMUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49724 -> 72.18.132.146:587
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013FA09A recv, 4_2_013FA09A
Source: unknown DNS traffic detected: queries for: mail.dadabhoy.edu.pk
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: http://UZkOts.com
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000004.00000002.503328534.0000000003589000.00000004.00000001.sdmp String found in binary or memory: https://kMicsa3HazLTjD.net
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: PURCHASE ORDER.exe, 00000000.00000002.239232235.0000000004171000.00000004.00000001.sdmp, PURCHASE ORDER.exe, 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PURCHASE ORDER.exe, 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_051713D6 NtQuerySystemInformation, 0_2_051713D6
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_051713A9 NtQuerySystemInformation, 0_2_051713A9
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013FB0BA NtQuerySystemInformation, 4_2_013FB0BA
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013FB089 NtQuerySystemInformation, 4_2_013FB089
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05322013 0_2_05322013
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532DCC8 0_2_0532DCC8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05322B18 0_2_05322B18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053217B0 0_2_053217B0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532E3A8 0_2_0532E3A8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05321BE8 0_2_05321BE8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532DFD8 0_2_0532DFD8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532EA08 0_2_0532EA08
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05324AA0 0_2_05324AA0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053232FB 0_2_053232FB
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053212E3 0_2_053212E3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05320AC3 0_2_05320AC3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05326D70 0_2_05326D70
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053269BD 0_2_053269BD
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053249A1 0_2_053249A1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053215E0 0_2_053215E0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053215D0 0_2_053215D0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532ADD8 0_2_0532ADD8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05325810 0_2_05325810
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05325803 0_2_05325803
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532A808 0_2_0532A808
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05322B0B 0_2_05322B0B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532C348 0_2_0532C348
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05326BB0 0_2_05326BB0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05326BA3 0_2_05326BA3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053217AB 0_2_053217AB
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532A791 0_2_0532A791
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053267F0 0_2_053267F0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05321BE3 0_2_05321BE3
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053267EB 0_2_053267EB
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532B610 0_2_0532B610
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05326278 0_2_05326278
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05320E61 0_2_05320E61
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532626B 0_2_0532626B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532CAA0 0_2_0532CAA0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05324A9B 0_2_05324A9B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0532BA88 0_2_0532BA88
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053236E0 0_2_053236E0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_062D0006 0_2_062D0006
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_062D0070 0_2_062D0070
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_062D1AF6 0_2_062D1AF6
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_0300D357 4_2_0300D357
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_0300D7B8 4_2_0300D7B8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_0300BBBA 4_2_0300BBBA
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_03009A90 4_2_03009A90
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_06480070 4_2_06480070
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064E5340 4_2_064E5340
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064E0070 4_2_064E0070
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064EABD0 4_2_064EABD0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064E8AE0 4_2_064E8AE0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064ED6F0 4_2_064ED6F0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064EA1A0 4_2_064EA1A0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064EE2B1 4_2_064EE2B1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064E0006 4_2_064E0006
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER.exe, 00000000.00000002.239511278.000000000434A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMqlBKgQGWGuIUcraWbDAeFtcNvdPyLI.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.242160824.0000000005FF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.239873716.00000000053A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.242274006.00000000060F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.242274006.00000000060F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.238019794.0000000000B5C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDefaultInterfaceAttribute.exeP vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.238942135.0000000003171000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000003.00000002.236766536.000000000043C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDefaultInterfaceAttribute.exeP vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.505299124.0000000006010000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.504596475.0000000005800000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.500345558.0000000001597000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000000.237489374.0000000000E2C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDefaultInterfaceAttribute.exeP vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.505195502.0000000005F10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.505049092.0000000005D80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameMqlBKgQGWGuIUcraWbDAeFtcNvdPyLI.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe Binary or memory string: OriginalFilenameDefaultInterfaceAttribute.exeP vs PURCHASE ORDER.exe
Uses 32bit PE files
Source: PURCHASE ORDER.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PURCHASE ORDER.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GNBVBDzQwHiY.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/4@1/1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05170FC2 AdjustTokenPrivileges, 0_2_05170FC2
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05170F8B AdjustTokenPrivileges, 0_2_05170F8B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013FAF3E AdjustTokenPrivileges, 4_2_013FAF3E
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013FAF07 AdjustTokenPrivileges, 4_2_013FAF07
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Roaming\GNBVBDzQwHiY.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Mutant created: \Sessions\1\BaseNamedObjects\pbnDaLYqXNxfqdRvBIIEjhXzsGp
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_01
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Local\Temp\tmpA9B9.tmp Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: PURCHASE ORDER.exe Virustotal: Detection: 21%
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 27%
Source: PURCHASE ORDER.exe String found in binary or memory: ^(Male|Female)$-Add Student Details :-
Source: PURCHASE ORDER.exe String found in binary or memory: Teacher Name-Add Teacher Details :-
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe 'C:\Users\user\Desktop\PURCHASE ORDER.exe'
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GNBVBDzQwHiY' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9B9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GNBVBDzQwHiY' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9B9.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: PURCHASE ORDER.exe, 00000000.00000002.239873716.00000000053A0000.00000002.00000001.sdmp, PURCHASE ORDER.exe, 00000004.00000002.505195502.0000000005F10000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01252B74 push cs; ret 0_2_01252BBA
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01252F56 push ss; ret 0_2_01252F6A
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01267D03 pushfd ; ret 0_2_012680D5
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01267C21 push ecx; iretd 0_2_01267C2E
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01267C43 push ebp; iretd 0_2_01267C56
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053201DB push ds; iretd 0_2_053201E2
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05320C6F push dword ptr [ebp+eax-18h]; ret 0_2_05320C73
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_053200F8 push ds; iretd 0_2_053200FA
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_05321BD8 push eax; iretd 0_2_05321BDA
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_013F2954 push cs; ret 4_2_013F298E
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_0300B4C2 push esp; retf 4_2_0300B5B1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_064EA0C9 push es; ret 4_2_064EA180
Source: initial sample Static PE information: section name: .text entropy: 7.6332778418
Source: initial sample Static PE information: section name: .text entropy: 7.6332778418

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Roaming\GNBVBDzQwHiY.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GNBVBDzQwHiY' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9B9.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5388, type: MEMORY
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,processSet,processSet,memAlloc,memAlloc
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Window / User API: threadDelayed 651 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 3220 Thread sleep time: -104638s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6428 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6428 Thread sleep count: 651 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6428 Thread sleep time: -19530000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6428 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 6428 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 104638 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 30000 Jump to behavior
Source: PURCHASE ORDER.exe, 00000004.00000002.504596475.0000000005800000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: PURCHASE ORDER.exe, 00000004.00000002.500468169.000000000160C000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW13F2-6063-4D7F-8700-992855A4
Source: PURCHASE ORDER.exe, 00000004.00000002.500513631.0000000001639000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PURCHASE ORDER.exe, 00000004.00000002.504596475.0000000005800000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PURCHASE ORDER.exe, 00000004.00000002.504596475.0000000005800000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: PURCHASE ORDER.exe, 00000000.00000002.238977520.000000000319B000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: PURCHASE ORDER.exe, 00000004.00000002.504596475.0000000005800000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 4_2_0300A7D0 LdrInitializeThunk, 4_2_0300A7D0
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Users\user\Desktop\PURCHASE ORDER.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GNBVBDzQwHiY' /XML 'C:\Users\user\AppData\Local\Temp\tmpA9B9.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: PURCHASE ORDER.exe, 00000004.00000002.500645046.0000000001B90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PURCHASE ORDER.exe, 00000004.00000002.500645046.0000000001B90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PURCHASE ORDER.exe, 00000004.00000002.500645046.0000000001B90000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: PURCHASE ORDER.exe, 00000004.00000002.500645046.0000000001B90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: PURCHASE ORDER.exe, 00000004.00000002.500645046.0000000001B90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0125B0BE GetUserNameW, 0_2_0125B0BE
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.239232235.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239232235.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6172, type: MEMORY
Source: Yara match File source: 4.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6172, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.239232235.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.503023451.0000000003541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.239232235.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.498714437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 6172, type: MEMORY
Source: Yara match File source: 4.2.PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PURCHASE ORDER.exe.428e9e8.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412574 Sample: PURCHASE ORDER.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 11 other signatures 2->37 7 PURCHASE ORDER.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...behaviorgraphNBVBDzQwHiY.exe, PE32 7->21 dropped 23 C:\Users\...behaviorgraphNBVBDzQwHiY.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpA9B9.tmp, XML 7->25 dropped 27 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 7->27 dropped 39 Injects a PE file into a foreign processes 7->39 11 PURCHASE ORDER.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        17 PURCHASE ORDER.exe 7->17         started        signatures5 process6 dnsIp7 29 mail.dadabhoy.edu.pk 72.18.132.146, 49724, 587 WEHOSTWEBSITES-COMUS United States 11->29 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 2 other signatures 11->47 19 conhost.exe 15->19         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.18.132.146
 mail.dadabhoy.edu.pk United States
30475 WEHOSTWEBSITES-COMUS true

Contacted Domains

Name IP Active
mail.dadabhoy.edu.pk 72.18.132.146 true