Windows Analysis Report
PURCHASE ORDER.exe

Overview

General Information

Sample Name:	PURCHASE ORDER.exe
Analysis ID:	755961
MD5:	a55b4bb09398659d69f1b8b37541e621
SHA1:	975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256:	ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PURCHASE ORDER.exe	ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe	Virustotal: Detection: 47%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: PURCHASE ORDER.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Uses 32bit PE files

Source: PURCHASE ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PURCHASE ORDER.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587

Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000003.00000002.423143006.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0boQaB1sN6dM.org
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASE ORDER.exe

.NET source code contains very large array initializations

Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs

Large array initialization: .cctor: array initializer size 10971

Uses 32bit PE files

Source: PURCHASE ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Detected potential crypto function

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01553D9D	0_2_01553D9D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551C40	0_2_01551C40
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01550EB0	0_2_01550EB0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_015518F0	0_2_015518F0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_015518E0	0_2_015518E0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01556508	0_2_01556508
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551C31	0_2_01551C31
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01556F18	0_2_01556F18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01553F9B	0_2_01553F9B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551ED8	0_2_01551ED8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551EC9	0_2_01551EC9
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01550EA0	0_2_01550EA0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160E2C8	0_2_0160E2C8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160E2D8	0_2_0160E2D8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160BFC4	0_2_0160BFC4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_031C65B8	0_2_031C65B8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_031C65A9	0_2_031C65A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00DEE16B	3_2_00DEE16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00DEDA01	3_2_00DEDA01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7F780	3_2_04D7F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7B520	3_2_04D7B520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7FAC8	3_2_04D7FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D30548	3_2_05D30548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3C508	3_2_05D3C508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D32638	3_2_05D32638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3CB40	3_2_05D3CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6A5A4	3_2_05E6A5A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6F910	3_2_05E6F910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6CD19	3_2_05E6CD19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6F4CF	3_2_05E6F4CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E60040	3_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E65428	3_2_05E65428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E67E40	3_2_05E67E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E61F88	3_2_05E61F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E885B8	3_2_05E885B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E81958	3_2_05E81958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8A4C0	3_2_05E8A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8E770	3_2_05E8E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E84E28	3_2_05E84E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8D578	3_2_05E8D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8D518	3_2_05E8D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E873D0	3_2_05E873D0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 05D36F60 appears 52 times

Sample file is different than original file name gathered from version info

Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.348745127.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.346074250.00000000056D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe	Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: PURCHASE ORDER.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PAyWOGoRT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PURCHASE ORDER.exe	ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File read: C:\Users\user\Desktop\PURCHASE ORDER.exe

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: PURCHASE ORDER.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Mutant created: \Sessions\1\BaseNamedObjects\nnVWvWgWBznoFzzQRNsbxIAQxt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01

Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3F488 push esp; retf	3_2_05D3F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3E11E push ecx; iretd	3_2_05D3E11F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3E123 push eax; iretd	3_2_05D3E124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E63F21 push E904DDD4h; retf 0001h	3_2_05E63F26

Source: initial sample	Static PE information: section name: .text entropy: 7.897447602261709
Source: initial sample	Static PE information: section name: .text entropy: 7.897447602261709

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: Yara match	File source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PAyWOGoRT.exe PID: 1520, type: MEMORYSTR

Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe TID: 6064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9777			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9736

Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 0000000C.00000002.577267438.0000000006000000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 80A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 872008	Jump to behavior

Source: Yara match	File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

Windows Analysis Report PURCHASE ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
PURCHASE ORDER.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

ID:	755961
Product:	CloudBasic
Start time:	11:23:06
Start date:	29.11.2022
Sample:	PURCHASE ORDER.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a55b4bb09398659d69f1b8b37541e621
SHA1:	975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256:	ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAyWOGoRT.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\tmp6AED.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	80E675E5B2A240D5A633F826B64E2CF7	A690D2C5FB99B392615E75E68CE86972910D28AE	4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
C:\Users\user\AppData\Local\Temp\tmpF89B.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	80E675E5B2A240D5A633F826B64E2CF7	A690D2C5FB99B392615E75E68CE86972910D28AE	4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A55B4BB09398659D69F1B8B37541E621	975F7C38780D00AE497FCB6ADDF31F5AD8CDB090	EA45A2032EEBE69D32B15D3EA505330EB00B5026107E8E123FB9FB9E2BF87496
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
\Device\ConDrv	ASCII text, with CRLF line terminators	1AEB3A784552CFD2AEDEDC1D43A97A4F	804286AB9F8B3DE053222826A69A7CDA3492411A	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293