Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order PO5351.exe

Overview

General Information

Sample Name:Purchase Order PO5351.exe
Analysis ID:502625
MD5:583ae888adbd5a79d055fbd414cc403b
SHA1:02fe0acb2796c2be544cee6cde690071e3cbfced
SHA256:e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Detected potential unwanted application
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Purchase Order PO5351.exe (PID: 492 cmdline: 'C:\Users\user\Desktop\Purchase Order PO5351.exe' MD5: 583AE888ADBD5A79D055FBD414CC403B)
    • Purchase Order PO5351.exe (PID: 5504 cmdline: 'C:\Users\user\Desktop\Purchase Order PO5351.exe' MD5: 583AE888ADBD5A79D055FBD414CC403B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "newwork1@appalliser.com", "Password": "!%RvA^hkLSn&", "Host": "mail.appalliser.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Purchase Order PO5351.exe.415058.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.Purchase Order PO5351.exe.415058.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.Purchase Order PO5351.exe.3345530.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.Purchase Order PO5351.exe.3345530.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.2.Purchase Order PO5351.exe.3345530.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "newwork1@appalliser.com", "Password": "!%RvA^hkLSn&", "Host": "mail.appalliser.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order PO5351.exeReversingLabs: Detection: 26%
                      Machine Learning detection for sampleShow sources
                      Source: Purchase Order PO5351.exeJoe Sandbox ML: detected
                      Source: 2.1.Purchase Order PO5351.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Purchase Order PO5351.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
                      Source: Purchase Order PO5351.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                      Source: global trafficTCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
                      Source: global trafficTCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: http://JydZpq.com
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpString found in binary or memory: http://appalliser.com
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://crl.veris
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553525383.00000000059A6000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1fdd1722a2534
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmpString found in binary or memory: http://mail.appalliser.com
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0L
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0N
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: Purchase Order PO5351.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.2.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: Purchase Order PO5351.exe, 00000002.00000003.508552580.00000000059BA000.00000004.00000001.sdmpString found in binary or memory: https://dii.lencr.org/
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Purchase Order PO5351.exe, 00000002.00000003.491025576.0000000000644000.00000004.00000001.sdmpString found in binary or memory: https://m5KdogWJECP9WFOWfNf.org
                      Source: Purchase Order PO5351.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: Purchase Order PO5351.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.appalliser.com
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FC2
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Purchase Order PO5351.exe
                      Detected potential unwanted applicationShow sources
                      Source: Purchase Order PO5351.exePE Siganture Subject Chain: CN=Tencent Technology(Shenzhen) Company Limited, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong, C=CN
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007bD4B941FAu002d2DBAu002d4076u002dBF2Bu002d68A2FCF4E49Bu007d/BDC4F16Au002d1B55u002d4A62u002d9374u002d3C2BBA0A451E.csLarge array initialization: .cctor: array initializer size 11961
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Purchase Order PO5351.exeStatic file information: Suspicious name
                      Source: Purchase Order PO5351.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FB
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004047D30_2_004047D3
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004061D40_2_004061D4
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F369FA0_2_72F369FA
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36A090_2_72F36A09
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040A2A52_2_0040A2A5
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075EC802_2_0075EC80
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_007561802_2_00756180
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075E2882_2_0075E288
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075D8A02_2_0075D8A0
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B2D302_2_008B2D30
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B4A4C2_2_008B4A4C
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B7E702_2_008B7E70
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008B00402_2_008B0040
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008BD7802_2_008BD780
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008CC9602_2_008CC960
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_008C72502_2_008C7250
                      Source: Purchase Order PO5351.exe, 00000000.00000003.283553488.000000000F21F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exeBinary or memory string: OriginalFilename vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exe, 00000002.00000002.548280613.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order PO5351.exe
                      Source: Purchase Order PO5351.exeStatic PE information: invalid certificate
                      Source: Purchase Order PO5351.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Users\user\Desktop\Purchase Order PO5351.exeJump to behavior
                      Source: Purchase Order PO5351.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\Local\Temp\nsk73A8.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@3/1
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,0_2_00402053
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404292
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeUnpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F31080 push eax; ret 0_2_72F310AE
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0075B59F push edi; retn 0000h2_2_0075B5A1
                      Source: Purchase Order PO5351.exeStatic PE information: real checksum: 0x0 should be: 0x64210
                      Source: gqdtoh.dll.0.drStatic PE information: real checksum: 0xe45e should be: 0x1158f
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeFile created: C:\Users\user\AppData\Local\Temp\nsk73A9.tmp\gqdtoh.dllJump to dropped file
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 5296Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716Thread sleep count: 1209 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716Thread sleep count: 8626 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWindow / User API: threadDelayed 1209Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWindow / User API: threadDelayed 8626Jump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Purchase Order PO5351.exe, 00000002.00000003.511012133.00000000059BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36402 mov eax, dword ptr fs:[00000030h]0_2_72F36402
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F366C7 mov eax, dword ptr fs:[00000030h]0_2_72F366C7
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36744 mov eax, dword ptr fs:[00000030h]0_2_72F36744
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36616 mov eax, dword ptr fs:[00000030h]0_2_72F36616
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 0_2_72F36706 mov eax, dword ptr fs:[00000030h]0_2_72F36706
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
                      Source: C:\Users\user\Desktop\Purchase Order PO5351.exeCode function: 2_2_00750A66 KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,