Analysis Report Purchase Order_12052021.exe

Overview

General Information

Sample Name: Purchase Order_12052021.exe
Analysis ID: 412749
MD5: b7394ccc239f48eb4a041f1c0fb92d92
SHA1: 020ae73c138a97eb413e2289822e8bacb7e15515
SHA256: 41b785e6bf871959db57c7f41ca190343a4e0fb48c0f945f776dda09c93bd8c2
Tags: exeMatiex
Infos:

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Matiex Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Purchase Order_12052021.exe ReversingLabs: Detection: 36%
Machine Learning detection for sample
Source: Purchase Order_12052021.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.Purchase Order_12052021.exe.400000.0.unpack Avira: Label: TR/Redcap.jajcu

Compliance:

barindex
Uses 32bit PE files
Source: Purchase Order_12052021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49729 version: TLS 1.0
Source: Purchase Order_12052021.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_00B316D0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_00B31655
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_04E97D7C

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe DNS query: name: checkip.dyndns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 193.32.232.10:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.19.200 104.21.19.200
Source: Joe Sandbox View IP Address: 216.146.43.71 216.146.43.71
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 193.32.232.10:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49729 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: Purchase Order_12052021.exe, 00000003.00000002.470154647.00000000011D2000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Purchase Order_12052021.exe, 00000003.00000002.475714622.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMi
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt0
Source: Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HB
Source: Purchase Order_12052021.exe, 00000003.00000002.470154647.00000000011D2000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Purchase Order_12052021.exe, 00000003.00000002.475714622.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRo~II
Source: Purchase Order_12052021.exe, 00000003.00000002.470467044.0000000001267000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0F
Source: Purchase Order_12052021.exe, 00000003.00000002.470154647.00000000011D2000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0
Source: Purchase Order_12052021.exe, 00000003.00000002.475689742.000000000681F000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMix
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp String found in binary or memory: http://kerekesfoto.com
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.470154647.00000000011D2000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Purchase Order_12052021.exe, 00000003.00000002.470467044.0000000001267000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Purchase Order_12052021.exe, 00000000.00000002.219818488.0000000002811000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/1
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
Source: Purchase Order_12052021.exe, 00000003.00000002.471029009.0000000002DF4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: Purchase Order_12052021.exe, 00000003.00000002.471029009.0000000002DF4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: Purchase Order_12052021.exe, 00000003.00000002.471029009.0000000002DF4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.78
Source: Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
Source: Purchase Order_12052021.exe, 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
Source: Purchase Order_12052021.exe, 00000003.00000002.471060800.0000000002E0B000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.471072262.0000000002E0F000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Purchase Order_12052021.exe, 00000003.00000002.475714622.0000000006840000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.
Source: Purchase Order_12052021.exe, 00000003.00000002.475714622.0000000006840000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.coef
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: Purchase Order_12052021.exe, 00000003.00000002.471885488.0000000002F03000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.475714622.0000000006840000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.475689742.000000000681F000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/rpa-ua0
Source: Purchase Order_12052021.exe, 00000003.00000002.471083879.0000000002E20000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=
Source: Purchase Order_12052021.exe, 00000003.00000002.473656695.0000000003132000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=3D84.17.52.78=0D=0A=0D=0ADat=
Source: Purchase Order_12052021.exe, 00000003.00000002.471482796.0000000002E9E000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=84.17.52.78
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: Purchase Order_12052021.exe, 00000000.00000003.213058949.0000000003115000.00000004.00000001.sdmp String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Purchase Order_12052021.exe, 00000000.00000002.219485544.0000000000B68000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order_12052021.exe
PE file has nameless sections
Source: Purchase Order_12052021.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B344A0 0_2_00B344A0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B318F0 0_2_00B318F0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B304E2 0_2_00B304E2
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B32420 0_2_00B32420
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B33528 0_2_00B33528
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3B558 0_2_00B3B558
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3BEC0 0_2_00B3BEC0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B32B98 0_2_00B32B98
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3A898 0_2_00B3A898
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B32411 0_2_00B32411
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3B870 0_2_00B3B870
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B36C58 0_2_00B36C58
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B36580 0_2_00B36580
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B377D2 0_2_00B377D2
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B36571 0_2_00B36571
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3AE90 0_2_00B3AE90
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B36A88 0_2_00B36A88
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B36A79 0_2_00B36A79
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3A240 0_2_00B3A240
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B323AE 0_2_00B323AE
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B3439B 0_2_00B3439B
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B377D2 0_2_00B377D2
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B367D8 0_2_00B367D8
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B367C9 0_2_00B367C9
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_04E96490 0_2_04E96490
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_04E98E70 0_2_04E98E70
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4148 0_2_054D4148
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D0040 0_2_054D0040
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8C68 0_2_054D8C68
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4137 0_2_054D4137
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8C59 0_2_054D8C59
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4458 0_2_054D4458
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D3C50 0_2_054D3C50
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4468 0_2_054D4468
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D3C60 0_2_054D3C60
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D0006 0_2_054D0006
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D68C0 0_2_054D68C0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D5CD9 0_2_054D5CD9
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D5CE8 0_2_054D5CE8
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D88A8 0_2_054D88A8
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D88A4 0_2_054D88A4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D68B3 0_2_054D68B3
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D3331 0_2_054D3331
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D3390 0_2_054D3390
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4BAF 0_2_054D4BAF
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8E5D 0_2_054D8E5D
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8E6B 0_2_054D8E6B
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8ED4 0_2_054D8ED4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8EFA 0_2_054D8EFA
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D8E84 0_2_054D8E84
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4AAF 0_2_054D4AAF
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D4AB0 0_2_054D4AB0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0117D0B0 3_2_0117D0B0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0117F0E0 3_2_0117F0E0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0117057F 3_2_0117057F
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0117D980 3_2_0117D980
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0117CD68 3_2_0117CD68
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_01171039 3_2_01171039
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_01171550 3_2_01171550
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0591DD88 3_2_0591DD88
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_059148B8 3_2_059148B8
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_05915020 3_2_05915020
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_059183D0 3_2_059183D0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_05911370 3_2_05911370
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_06928A38 3_2_06928A38
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_069239D8 3_2_069239D8
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694B780 3_2_0694B780
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_06947724 3_2_06947724
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694C050 3_2_0694C050
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_06945750 3_2_06945750
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_06945740 3_2_06945740
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694B187 3_2_0694B187
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694BFF0 3_2_0694BFF0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_06948C50 3_2_06948C50
PE file contains strange resources
Source: Purchase Order_12052021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Purchase Order_12052021.exe Binary or memory string: OriginalFilename vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.219818488.0000000002811000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.219485544.0000000000B68000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000000.198987261.0000000000470000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameContextAttribute.exe" vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.221824311.0000000002D20000.00000004.00000001.sdmp Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamee.exe4 vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe Binary or memory string: OriginalFilename vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000002.00000000.216649315.00000000003D0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameContextAttribute.exe" vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe Binary or memory string: OriginalFilename vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.475390162.00000000061E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.468681860.0000000000BE5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamee.exe4 vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.468556035.0000000000A20000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameContextAttribute.exe" vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe, 00000003.00000002.469960044.00000000011AA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order_12052021.exe
Source: Purchase Order_12052021.exe Binary or memory string: OriginalFilenameContextAttribute.exe" vs Purchase Order_12052021.exe
Uses 32bit PE files
Source: Purchase Order_12052021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Purchase Order_12052021.exe Static PE information: Section: NLNe ZLIB complexity 1.00031777034
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@36/3
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order_12052021.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Purchase Order_12052021.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File read: C:\Users\user\Desktop\Purchase Order_12052021.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe 'C:\Users\user\Desktop\Purchase Order_12052021.exe'
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Purchase Order_12052021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order_12052021.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Purchase Order_12052021.exe, 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, Purchase Order_12052021.exe, 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Unpacked PE file: 0.2.Purchase Order_12052021.exe.3b0000.0.unpack NLNe:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Yara detected Beds Obfuscator
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 3560, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 2792, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.4224d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
PE file contains sections with non-standard names
Source: Purchase Order_12052021.exe Static PE information: section name: NLNe
Source: Purchase Order_12052021.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_0045FA71 push ss; retf 0_2_0045FA72
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B31453 pushfd ; retf 0_2_00B31454
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B31449 pushfd ; retf 0_2_00B3144A
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_04E9ACDC push 9C027EC3h; ret 0_2_04E9ACE1
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D831F push FFFFFFA2h; retf 0_2_054D8321
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_054D7E42 push ebx; iretd 0_2_054D7E50
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3622 push cs; retf 2_2_003D3632
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3670 push cs; retf 2_2_003D36A4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3658 push cs; retf 2_2_003D366E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3A5A push ss; retf 2_2_003D3A5E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3BB6 push ds; retf 2_2_003D3BBA
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3BA4 push ds; retf 2_2_003D3BB4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D36A6 push cs; retf 2_2_003D36B0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D3B92 push ds; retf 2_2_003D3B96
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D338E push cs; retf 2_2_003D3632
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 2_2_003D338E push cs; retf 2_2_003D363E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A236A6 push cs; retf 3_2_00A236B0
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23BA4 push ds; retf 3_2_00A23BB4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23BB6 push ds; retf 3_2_00A23BBA
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A2338E push cs; retf 3_2_00A23632
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A2338E push cs; retf 3_2_00A2363E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23B92 push ds; retf 3_2_00A23B96
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23622 push cs; retf 3_2_00A23632
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23670 push cs; retf 3_2_00A236A4
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23A5A push ss; retf 3_2_00A23A5E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_00A23658 push cs; retf 3_2_00A2366E
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694F687 push es; iretd 3_2_0694F688
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694C7F0 pushad ; retf 3_2_0694C84D
Source: initial sample Static PE information: section name: NLNe entropy: 7.99974141279
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 3560, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Yara detected Beds Obfuscator
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 3560, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 2792, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.4224d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Window / User API: threadDelayed 2287 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Window / User API: threadDelayed 7556 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2428 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 6128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 6060 Thread sleep count: 2287 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 6060 Thread sleep count: 7556 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -195750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -96969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -96859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe TID: 2440 Thread sleep time: -97656s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99734 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98859 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98531 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98422 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98312 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98203 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98094 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97984 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97875 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97641 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97187 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 96969 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Thread delayed: delay time: 97656 Jump to behavior
Source: Purchase Order_12052021.exe, 00000003.00000002.475390162.00000000061E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Purchase Order_12052021.exe, 00000003.00000002.475390162.00000000061E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Purchase Order_12052021.exe, 00000003.00000002.475390162.00000000061E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Purchase Order_12052021.exe, 00000000.00000002.219914273.0000000002864000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Purchase Order_12052021.exe, 00000003.00000002.470467044.0000000001267000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Purchase Order_12052021.exe, 00000003.00000002.475390162.00000000061E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 0_2_00B316D0 CheckRemoteDebuggerPresent, 0_2_00B316D0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Code function: 3_2_0694B780 LdrInitializeThunk, 3_2_0694B780
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Memory written: C:\Users\user\Desktop\Purchase Order_12052021.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Process created: C:\Users\user\Desktop\Purchase Order_12052021.exe C:\Users\user\Desktop\Purchase Order_12052021.exe Jump to behavior
Source: Purchase Order_12052021.exe, 00000003.00000002.470746185.0000000001810000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Purchase Order_12052021.exe, 00000003.00000002.470746185.0000000001810000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Purchase Order_12052021.exe, 00000003.00000002.470746185.0000000001810000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Purchase Order_12052021.exe, 00000003.00000002.470746185.0000000001810000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Users\user\Desktop\Purchase Order_12052021.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Users\user\Desktop\Purchase Order_12052021.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 3560, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 2792, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.4224d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Purchase Order_12052021.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.470992091.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 2792, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000003.00000002.467511051.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.222285515.0000000003864000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 3560, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order_12052021.exe PID: 2792, type: MEMORY
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.4224d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3b46210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order_12052021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order_12052021.exe.3ac79f0.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412749 Sample: Purchase Order_12052021.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for submitted file 2->24 26 Detected unpacking (changes PE section rights) 2->26 28 Yara detected AgentTesla 2->28 30 9 other signatures 2->30 6 Purchase Order_12052021.exe 3 2->6         started        process3 file4 16 C:\Users\...\Purchase Order_12052021.exe.log, ASCII 6->16 dropped 32 Injects a PE file into a foreign processes 6->32 10 Purchase Order_12052021.exe 15 2 6->10         started        14 Purchase Order_12052021.exe 6->14         started        signatures5 process6 dnsIp7 18 checkip.dyndns.org 10->18 20 kerekesfoto.com 193.32.232.10, 49733, 49734, 49738 EZIT-ASHU Hungary 10->20 22 2 other IPs or domains 10->22 34 Tries to steal Mail credentials (via file access) 10->34 36 Tries to harvest and steal browser information (history, passwords, etc) 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.19.200
 freegeoip.app United States
13335 CLOUDFLARENETUS false
216.146.43.71
 checkip.dyndns.com United States
33517 DYNDNSUS false
193.32.232.10
 kerekesfoto.com Hungary
62292 EZIT-ASHU false

Contacted Domains

Name IP Active
kerekesfoto.com 193.32.232.10 true
freegeoip.app 104.21.19.200 true
checkip.dyndns.com 216.146.43.71 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown