Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XX(1).exe

"C:\Users\user\Desktop\XX(1).exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	2580
Name:	XX(1).exe
Path:	C:\Users\user\Desktop\XX(1).exe
Commandline:	"C:\Users\user\Desktop\XX(1).exe"
Size:	1171456
MD5:	CEEE05227B74E5A1E6D89F3B1CDFD24B
Time:	21:38:28
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	1196032
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\XX(1).exe"

Details

Is windows:	true
Is dropped:	false
PID:	7448
Target ID:	1
Parent PID:	7432
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\XX(1).exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	21:38:29
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://sectigo.com/CPS0

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://magnatextile.com

unknown

http://mail.magnatextile.com

unknown

Domains

Name

Malicious

magnatextile.com

164.68.127.9

Details

Name:	magnatextile.com
IP:	164.68.127.9
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.magnatextile.com

unknown

Details

Name:	mail.magnatextile.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

164.68.127.9

magnatextile.com

Germany

Details

IP:	164.68.127.9
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Germany
Countrycode:	DEU
ASN number:	51167
ASN name:	CONTABODE
Private:	false
Domain:	magnatextile.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4411000

trusted library allocation

page read and write

5A90000

trusted library section

page read and write

59D0000

trusted library section

page read and write

3464000

trusted library allocation

page read and write

312F000

heap

page read and write

348F000

trusted library allocation

page read and write

34A3000

trusted library allocation

page read and write

3497000

trusted library allocation

page read and write

5FC0000

trusted library allocation

page read and write

5A52000

trusted library allocation

page read and write

14E6000

heap

page read and write

3B60000

direct allocation

page read and write

5FD0000

heap

page read and write

7F070000

trusted library allocation

page execute and read and write

3070000

trusted library allocation

page read and write

671E000

stack

page read and write

3030000

trusted library allocation

page read and write

5A40000

trusted library allocation

page read and write

5A61000

trusted library allocation

page read and write

13A4000

heap

page read and write

1375000

heap

page read and write

9F0000

unkown

page readonly

1384000

heap

page read and write

3DD9000

direct allocation

page read and write

6C1D000

stack

page read and write

3218000

trusted library allocation

page read and write

348B000

trusted library allocation

page read and write

3E4E000

direct allocation

page read and write

9F1000

unkown

page execute read

5FCD000

trusted library allocation

page read and write

5D94000

heap

page read and write

3E2D000

direct allocation

page read and write

3DD9000

direct allocation

page read and write

12CB000

heap

page read and write

1322000

heap

page read and write

11FD000

stack

page read and write

3B10000

direct allocation

page read and write

3D00000

direct allocation

page read and write

5A4B000

trusted library allocation

page read and write

5A80000

trusted library allocation

page read and write

4516000

trusted library allocation

page read and write

1270000

heap

page read and write

1365000

heap

page read and write

1263000

heap

page read and write

3E29000

direct allocation

page read and write

3460000

trusted library allocation

page read and write

6EB0000

trusted library allocation

page execute and read and write

3E29000

direct allocation

page read and write

3750000

direct allocation

page execute and read and write

125A000

stack

page read and write

13C0000

heap

page read and write

6E90000

trusted library allocation

page read and write

6F0D000

stack

page read and write

44D3000

trusted library allocation

page read and write

3090000

trusted library allocation

page read and write

5B00000

trusted library allocation

page read and write

1521000

heap

page read and write

3075000

trusted library allocation

page execute and read and write

14B2000

heap

page read and write

3B60000

direct allocation

page read and write

6F9E000

stack

page read and write

7370000

trusted library allocation

page read and write

3E2D000

direct allocation

page read and write

65DD000

stack

page read and write

11BF000

stack

page read and write

3DDD000

direct allocation

page read and write

3CB0000

direct allocation

page read and write

9F0000

unkown

page readonly

AAF000

unkown

page read and write

A7F000

unkown

page readonly

3C33000

direct allocation

page read and write

AA5000

unkown

page readonly

5A4E000

trusted library allocation

page read and write

5D80000

heap

page read and write

3B10000

direct allocation

page read and write

899000

stack

page read and write

73A0000

heap

page read and write

3CB0000

direct allocation

page read and write

32B0000

trusted library allocation

page read and write

30F7000

heap

page read and write

3034000

trusted library allocation

page read and write

37C4000

heap

page read and write

5C5C000

stack

page read and write

6D1F000

stack

page read and write

30E0000

trusted library allocation

page execute and read and write

14D3000

heap

page read and write

6EA0000

trusted library allocation

page read and write

303D000

trusted library allocation

page execute and read and write

12CB000

heap

page read and write

13E5000

heap

page read and write

3E29000

direct allocation

page read and write

6E98000

trusted library allocation

page read and write

3066000

trusted library allocation

page execute and read and write

9D0000

heap

page read and write

3B10000

direct allocation

page read and write

1394000

heap

page read and write

348D000

trusted library allocation

page read and write

304D000

trusted library allocation

page execute and read and write

6E5D000

stack

page read and write

9A0000

heap

page read and write

2FE0000

heap

page read and write

11DB000

stack

page read and write

5FBE000

stack

page read and write

9F1000

unkown

page execute read

1375000

heap

page read and write

3060000

trusted library allocation

page read and write

307B000

trusted library allocation

page execute and read and write

990000

heap

page read and write

3072000

trusted library allocation

page read and write

6FE7000

trusted library allocation

page read and write

3DDD000

direct allocation

page read and write

3B60000

direct allocation

page read and write

3043000

trusted library allocation

page read and write

33FE000

stack

page read and write

3053000

heap

page read and write

3C83000

direct allocation

page read and write

3000000

trusted library section

page read and write

3E4E000

direct allocation

page read and write

12CB000

heap

page read and write

5FE0000

trusted library allocation

page execute and read and write

14E0000

heap

page read and write

5DC2000

heap

page read and write

59CF000

stack

page read and write

3E9E000

direct allocation

page read and write

AAF000

unkown

page write copy

13A4000

heap

page read and write

14AF000

heap

page read and write

306A000

trusted library allocation

page execute and read and write

1E2E000

stack

page read and write

14A1000

heap

page read and write

3CB0000

direct allocation

page read and write

1220000

heap

page read and write

3040000

trusted library allocation

page read and write

12AF000

heap

page read and write

3DD9000

direct allocation

page read and write

1238000

heap

page read and write

6EA4000

trusted library allocation

page read and write

3411000

trusted library allocation

page read and write

5A30000

heap

page execute and read and write

554E000

stack

page read and write

13E0000

heap

page read and write

1478000

heap

page read and write

58CE000

stack

page read and write

344A000

trusted library allocation

page read and write

AB8000

unkown

page readonly

1358000

stack

page read and write

3E4E000

direct allocation

page read and write

3DDD000

direct allocation

page read and write

30DE000

stack

page read and write

3C33000

direct allocation

page read and write

3D00000

direct allocation

page read and write

544C000

stack

page read and write

14E4000

heap

page read and write

3453000

trusted library allocation

page read and write

75B0000

heap

page read and write

5A46000

trusted library allocation

page read and write

98E000

stack

page read and write

445000

system

page execute and read and write

AB3000

unkown

page write copy

1470000

heap

page read and write

5A20000

trusted library allocation

page read and write

3050000

heap

page read and write

1394000

heap

page read and write

5A6D000

trusted library allocation

page read and write

6FF0000

trusted library allocation

page read and write

3C83000

direct allocation

page read and write

3C33000

direct allocation

page read and write

94D000

stack

page read and write

6FE0000

trusted library allocation

page read and write

1550000

heap

page read and write

3E2D000

direct allocation

page read and write

5B20000

heap

page read and write

426000

system

page execute and read and write

3E9E000

direct allocation

page read and write

3E9E000

direct allocation

page read and write

1A2E000

stack

page read and write

3760000

direct allocation

page read and write

66DE000

stack

page read and write

A7F000

unkown

page readonly

11CF000

stack

page read and write

30F0000

heap

page read and write

3100000

heap

page read and write

3020000

trusted library allocation

page read and write

AB8000

unkown

page readonly

1384000

heap

page read and write

7360000

trusted library allocation

page execute and read and write

1270000

heap

page read and write

1230000

heap

page read and write

6D5E000

stack

page read and write

900000

heap

page read and write

6EC0000

trusted library allocation

page read and write

13B0000

heap

page read and write

5A66000

trusted library allocation

page read and write

37C0000

heap

page read and write

5A5A000

trusted library allocation

page read and write

3C83000

direct allocation

page read and write

681E000

stack

page read and write

3400000

heap

page read and write

3062000

trusted library allocation

page read and write

13A4000

heap

page read and write

AA5000

unkown

page readonly

5EBE000

stack

page read and write

3077000

trusted library allocation

page execute and read and write

3D00000

direct allocation

page read and write

3033000

trusted library allocation

page execute and read and write

32E0000

trusted library allocation

page read and write

12CC000

heap

page read and write

3010000

trusted library section

page read and write

1270000

heap

page read and write

14F8000

heap

page read and write

400000

system

page execute and read and write

5A5E000

trusted library allocation

page read and write

32F0000

heap

page read and write

32C0000

heap

page execute and read and write

1384000

heap

page read and write

5D5C000

stack

page read and write

There are 206 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XX(1).exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXX(1).exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
XX(1).exe