Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.975205070022554
Filename:	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Filesize:	1062400
MD5:	94f7917fd8334a283b0d5c408383e4ed
SHA1:	8b1e768eb4493d907df10b29042ef2ff11727c87
SHA256:	3b0246cc2beaacf7c22ab27377a14e9d5cba3dc5b514b4f4a5e8c2eb9c20f612
SHA512:	92e649893733de391d1427f5255331acff1184c637f55339793b5c8b3fc881ae1b8f771b2528d576c1e1e041621f3c73f72b539e98842e82c0a44044b9d9feb4
SSDEEP:	24576:SAHnh+eWsN3skA4RV1Hom2KXMmHaIoQ1TwWFq6d5:Vh+ZkldoPK8YaIF1qk
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KaGeys.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KaGeys.exe.log
Category:	modified
Dump:	KaGeys.exe.log.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\asset

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\asset
Category:	dropped
Dump:	asset.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Type:	data
Entropy:	6.60716245529181
Encrypted:	false
Ssdeep:	6144:iep3Lxul5nE7uXhjWhN9NjqY+v1QRoJr8I:N37uJWhdjXur8I
Size:	244736
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\autC01D.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autC01D.tmp
Category:	dropped
Dump:	autC01D.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Type:	data
Entropy:	7.875688617250052
Encrypted:	false
Ssdeep:	3072:dXqZMYTU8sPR/E0MdiZT+V8sMWyyJii1N8aUoU//VhqI87j:da+C0xZT+V8s5AcuXXVhXCj
Size:	151054
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\autC05C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autC05C.tmp
Category:	dropped
Dump:	autC05C.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Type:	data
Entropy:	7.5986589087356275
Encrypted:	false
Ssdeep:	192:65jwEiqEH1WgUJuzJkecGgJo7xocBkP/eH6exLOFyFTfvPPT:I6qEHYV0eecGGo7xocBE/c6ePTfvPr
Size:	9824
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\tapestring

ASCII text, with very long lines (28756), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tapestring
Category:	dropped
Dump:	tapestring.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Type:	ASCII text, with very long lines (28756), with no line terminators
Entropy:	3.5885483301510295
Encrypted:	false
Ssdeep:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyCy:miTZ+2QoioGRk6ZklputwjpjBkCiw2R5
Size:	28756
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
Category:	modified
Dump:	KaGeys.exe.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.6.dr
ID:	dr_7
Target ID:	6
Process:	C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe

"C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3640
Target ID:	0
Parent PID:	1028
Name:	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Path:	C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Commandline:	"C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"
Size:	1062400
MD5:	94F7917FD8334A283B0D5C408383E4ED
Time:	02:50:22
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	1085440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"

Details

Is windows:	true
Is dropped:	false
PID:	348
Target ID:	2
Parent PID:	3640
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	02:50:23
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x5e0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe

"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6512
Target ID:	3
Parent PID:	1028
Name:	KaGeys.exe
Path:	C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
Commandline:	"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	02:50:36
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xe00000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe

"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6512
Target ID:	6
Parent PID:	1028
Name:	KaGeys.exe
Path:	C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe
Commandline:	"C:\Users\user\AppData\Roaming\KaGeys\KaGeys.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	02:50:44
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x2d0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5560
Target ID:	4
Parent PID:	6512
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:50:36
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4440
Target ID:	7
Parent PID:	6512
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:50:44
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

http://mail.laboratoriosvilla.com.mx

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://ip-api.com

unknown

http://r10.o.lencr.org0#

unknown

http://laboratoriosvilla.com.mx

unknown

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://r10.i.lencr.org/0

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

laboratoriosvilla.com.mx

216.194.161.167

Details

Name:	laboratoriosvilla.com.mx
IP:	216.194.161.167
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.laboratoriosvilla.com.mx

unknown

Details

Name:	mail.laboratoriosvilla.com.mx
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

216.194.161.167

laboratoriosvilla.com.mx

United States

Details

IP:	216.194.161.167
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	22611
ASN name:	IMH-WESTUS
Private:	false
Domain:	laboratoriosvilla.com.mx

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

KaGeys

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2A63000

trusted library allocation

page read and write

2A25000

trusted library allocation

page read and write

1120000

direct allocation

page read and write

402000

system

page execute and read and write

2A4D000

trusted library allocation

page read and write

64D0000

trusted library allocation

page read and write

EA0000

unkown

page readonly

FE0000

trusted library allocation

page read and write

1350000

heap

page read and write

2A68000

trusted library allocation

page read and write

28B0000

heap

page read and write

601D000

stack

page read and write

4E3C000

stack

page read and write

3C63000

direct allocation

page read and write

13C5000

heap

page read and write

CDB000

trusted library allocation

page execute and read and write

DCF000

stack

page read and write

E02000

unkown

page readonly

66EE000

stack

page read and write

CB0000

trusted library allocation

page read and write

2A4B000

trusted library allocation

page read and write

119A000

heap

page read and write

C6F000

stack

page read and write

835000

heap

page read and write

4F30000

heap

page read and write

DAE000

heap

page read and write

11DF000

heap

page read and write

12ED000

heap

page read and write

880000

trusted library allocation

page read and write

11EA000

heap

page read and write

DBA000

heap

page read and write

F2F000

unkown

page readonly

E0A000

unkown

page readonly

EA1000

unkown

page execute read

87E000

stack

page read and write

CD5000

trusted library allocation

page execute and read and write

F63000

unkown

page write copy

1E90000

heap

page read and write

3E0000

heap

page read and write

8B0000

trusted library allocation

page read and write

3E09000

direct allocation

page read and write

E78000

heap

page read and write

4AB0000

trusted library allocation

page execute and read and write

8A0000

heap

page read and write

894000

trusted library allocation

page read and write

4ABE000

stack

page read and write

37F4000

heap

page read and write

2860000

trusted library allocation

page read and write

CA3000

trusted library allocation

page execute and read and write

3E09000

direct allocation

page read and write

1259000

heap

page read and write

950000

trusted library allocation

page read and write

89D000

trusted library allocation

page execute and read and write

1208000

heap

page read and write

64B0000

trusted library allocation

page read and write

13C0000

heap

page read and write

FD0000

trusted library allocation

page read and write

57EE000

stack

page read and write

CF0000

heap

page read and write

2892000

trusted library allocation

page read and write

3E09000

direct allocation

page read and write

1110000

direct allocation

page execute and read and write

119A000

heap

page read and write

2F60000

trusted library allocation

page execute and read and write

930000

heap

page read and write

F55000

unkown

page readonly

B95000

heap

page read and write

2F70000

heap

page read and write

3E0D000

direct allocation

page read and write

3CE0000

direct allocation

page read and write

CA0000

trusted library allocation

page read and write

2FF0000

heap

page read and write

3E7E000

direct allocation

page read and write

11DE000

heap

page read and write

3B40000

direct allocation

page read and write

4B7E000

stack

page read and write

F8E000

stack

page read and write

CD7000

trusted library allocation

page execute and read and write

E00000

unkown

page readonly

2A49000

trusted library allocation

page read and write

4E3F000

stack

page read and write

DDB000

stack

page read and write

5EDE000

stack

page read and write

17AC000

stack

page read and write

2850000

heap

page execute and read and write

11EB000

heap

page read and write

CC2000

trusted library allocation

page read and write

3160000

heap

page execute and read and write

2A0D000

trusted library allocation

page read and write

8B4000

trusted library allocation

page read and write

E88000

heap

page read and write

244E000

stack

page read and write

530E000

stack

page read and write

3C63000

direct allocation

page read and write

16E0000

trusted library allocation

page read and write

1707000

trusted library allocation

page execute and read and write

5C43000

heap

page read and write

13B3000

trusted library allocation

page execute and read and write

3C63000

direct allocation

page read and write

1288000

heap

page read and write

27A8000

trusted library allocation

page read and write

63E7000

trusted library allocation

page read and write

3E0D000

direct allocation

page read and write

E52000

heap

page read and write

29BF000

stack

page read and write

2A76000

trusted library allocation

page read and write

3B40000

direct allocation

page read and write

134E000

stack

page read and write

DBF000

stack

page read and write

3E0D000

direct allocation

page read and write

39E9000

trusted library allocation

page read and write

3CE0000

direct allocation

page read and write

AFE000

stack

page read and write

596E000

stack

page read and write

513C000

stack

page read and write

3171000

trusted library allocation

page read and write

910000

trusted library allocation

page read and write

12CE000

heap

page read and write

617F000

stack

page read and write

3E7E000

direct allocation

page read and write

11EA000

heap

page read and write

2FE0000

trusted library allocation

page execute and read and write

63DD000

trusted library allocation

page read and write

263F000

stack

page read and write

36C000

stack

page read and write

920000

heap

page read and write

1238000

heap

page read and write

10E0000

heap

page read and write

DC8000

heap

page read and write

39C1000

trusted library allocation

page read and write

11C3000

heap

page read and write

F5F000

unkown

page write copy

DC5000

heap

page read and write

978000

heap

page read and write

D00000

trusted library allocation

page read and write

6500000

heap

page read and write

1240000

heap

page read and write

119F000

heap

page read and write

8DB000

trusted library allocation

page execute and read and write

252C000

stack

page read and write

12ED000

heap

page read and write

473E000

stack

page read and write

4F3F000

stack

page read and write

1183000

heap

page read and write

12DE000

heap

page read and write

CCA000

trusted library allocation

page execute and read and write

6440000

trusted library allocation

page read and write

B80000

trusted library allocation

page read and write

F68000

unkown

page readonly

4BFE000

stack

page read and write

6FA000

stack

page read and write

592F000

stack

page read and write

3CE0000

direct allocation

page read and write

12FB000

heap

page read and write

D90000

heap

page read and write

FB0000

trusted library allocation

page execute and read and write

3B40000

direct allocation

page read and write

1247000

heap

page read and write

3E09000

direct allocation

page read and write

79A000

stack

page read and write

830000

heap

page read and write

994000

heap

page read and write

1300000

heap

page read and write

582E000

stack

page read and write

CC0000

trusted library allocation

page read and write

1160000

heap

page read and write

6530000

trusted library allocation

page execute and read and write

99A000

heap

page read and write

624E000

stack

page read and write

11CE000

heap

page read and write

64B7000

trusted library allocation

page read and write

1192000

heap

page read and write

130F000

heap

page read and write

13B4000

trusted library allocation

page read and write

6450000

trusted library allocation

page execute and read and write

3E7E000

direct allocation

page read and write

4F40000

heap

page read and write

5BA0000

heap

page read and write

6850000

heap

page read and write

4EE0000

heap

page execute and read and write

29C1000

trusted library allocation

page read and write

2866000

trusted library allocation

page read and write

CAD000

trusted library allocation

page execute and read and write

4F33000

heap

page read and write

12CF000

heap

page read and write

F68000

unkown

page readonly

893000

trusted library allocation

page execute and read and write

C9F000

stack

page read and write

2F90000

trusted library allocation

page read and write

119F000

heap

page read and write

7F240000

trusted library allocation

page execute and read and write

3A2B000

trusted library allocation

page read and write

3E0D000

direct allocation

page read and write

11EA000

heap

page read and write

130E000

heap

page read and write

16DE000

stack

page read and write

3641000

trusted library allocation

page read and write

63D0000

trusted library allocation

page read and write

29FF000

trusted library allocation

page read and write

E00000

heap

page read and write

63CE000

stack

page read and write

638E000

stack

page read and write

12C1000

heap

page read and write

29F5000

trusted library allocation

page read and write

80E000

stack

page read and write

3E0D000

direct allocation

page read and write

F55000

unkown

page readonly

130D000

heap

page read and write

121F000

heap

page read and write

287A000

trusted library allocation

page read and write

3E7E000

direct allocation

page read and write

9A7000

heap

page read and write

17B0000

heap

page read and write

64C0000

trusted library allocation

page read and write

4C30000

heap

page execute and read and write

8BD000

trusted library allocation

page execute and read and write

11EA000

heap

page read and write

3D0000

heap

page read and write

4D3E000

stack

page read and write

54CD000

stack

page read and write

1192000

heap

page read and write

9DD000

heap

page read and write

56E0000

heap

page execute and read and write

54D0000

trusted library allocation

page read and write

E90000

heap

page read and write

E14000

heap

page read and write

979000

stack

page read and write

288D000

trusted library allocation

page read and write

FF0000

heap

page read and write

3C63000

direct allocation

page read and write

D98000

heap

page read and write

170B000

trusted library allocation

page execute and read and write

3C63000

direct allocation

page read and write

12DE000

heap

page read and write

2881000

trusted library allocation

page read and write

F9A000

stack

page read and write

6430000

trusted library allocation

page execute and read and write

DFC000

stack

page read and write

FC0000

trusted library allocation

page read and write

3C63000

direct allocation

page read and write

400000

system

page execute and read and write

1168000

heap

page read and write

1380000

heap

page read and write

642E000

stack

page read and write

1200000

heap

page read and write

5A6E000

stack

page read and write

98F000

heap

page read and write

CA4000

trusted library allocation

page read and write

2641000

trusted library allocation

page read and write

4BBE000

stack

page read and write

87A000

stack

page read and write

10F0000

heap

page read and write

56AE000

stack

page read and write

E4E000

stack

page read and write

159E000

stack

page read and write

120A000

heap

page read and write

F2F000

unkown

page readonly

122B000

heap

page read and write

1224000

heap

page read and write

11EA000

heap

page read and write

900000

trusted library allocation

page execute and read and write

960000

heap

page read and write

11BE000

heap

page read and write

3E7E000

direct allocation

page read and write

F90000

heap

page read and write

5BC9000

heap

page read and write

119F000

heap

page read and write

B6F000

stack

page read and write

FF6000

heap

page read and write

B90000

heap

page read and write

12DF000

heap

page read and write

8D7000

trusted library allocation

page execute and read and write

D8C000

stack

page read and write

E8E000

stack

page read and write

54D9000

trusted library allocation

page read and write

16ED000

trusted library allocation

page execute and read and write

D4E000

stack

page read and write

CC6000

trusted library allocation

page execute and read and write

9E0000

heap

page read and write

EA1000

unkown

page execute read

3CE0000

direct allocation

page read and write

3B40000

direct allocation

page read and write

11EA000

heap

page read and write

15DE000

stack

page read and write

11EA000

heap

page read and write

1700000

trusted library allocation

page read and write

176E000

stack

page read and write

3B40000

direct allocation

page read and write

634E000

stack

page read and write

63E0000

trusted library allocation

page read and write

2FA0000

trusted library allocation

page read and write

30FE000

stack

page read and write

3CE0000

direct allocation

page read and write

16E4000

trusted library allocation

page read and write

11CE000

heap

page read and write

54E0000

heap

page read and write

3E7E000

direct allocation

page read and write

11EA000

heap

page read and write

286E000

trusted library allocation

page read and write

CBD000

trusted library allocation

page execute and read and write

2530000

heap

page execute and read and write

1D5E000

stack

page read and write

1193000

heap

page read and write

3B40000

direct allocation

page read and write

13A0000

trusted library allocation

page read and write

CD2000

trusted library allocation

page read and write

11BE000

heap

page read and write

13BD000

trusted library allocation

page execute and read and write

B4E000

stack

page read and write

620F000

stack

page read and write

11DE000

heap

page read and write

3CE0000

direct allocation

page read and write

970000

heap

page read and write

4171000

trusted library allocation

page read and write

287E000

trusted library allocation

page read and write

EA0000

unkown

page readonly

F5F000

unkown

page read and write

11EA000

heap

page read and write

5F1E000

stack

page read and write

E9C000

stack

page read and write

286B000

trusted library allocation

page read and write

2886000

trusted library allocation

page read and write

3E09000

direct allocation

page read and write

2872000

trusted library allocation

page read and write

B00000

heap

page read and write

607E000

stack

page read and write

3E0D000

direct allocation

page read and write

61CD000

stack

page read and write

195E000

stack

page read and write

3E09000

direct allocation

page read and write

2A11000

trusted library allocation

page read and write

37F0000

heap

page read and write

2840000

trusted library allocation

page read and write

130E000

heap

page read and write

There are 324 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe