Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

Order Specifications for Materials.docx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.150975150770328
Filename:	Order Specifications for Materials.docx.exe
Filesize:	1172992
MD5:	ca5e9b87e7c8b8dc2b60edad5b0ef4d5
SHA1:	be210e5855b7ac8337da25bea95117fdd66be619
SHA256:	1a326608fcf76eabbcc227a1515eb23309a8e6adb6c18b2c23041e3ebf225c77
SHA512:	4b460524f7d9834ba089de468783df9761342de4b06255fc3bb11a4907f6eb21f0529c8ad250989d3494437f4839dc355907fd023840eb842c21be9b35d6f1bd
SSDEEP:	24576:eu6J33O0c+JY5UZ+XC0kGso6Fa1M+Tlxkm4ZugpWY:wu0c++OCvkGs9Fa1MQlxyupY
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to detect virtual machines (SLDT)	Malware Analysis System Evasion	Access Token Manipulation
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Disable or Modify Tools Exfiltration Over Alternative Protocol
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary	Access Token Manipulation Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Category:	modified
Dump:	sgxIb.exe.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log
Category:	modified
Dump:	sgxIb.exe.log.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\Roca

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Roca
Category:	dropped
Dump:	Roca.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Order Specifications for Materials.docx.exe
Type:	data
Entropy:	7.876565257134446
Encrypted:	false
Ssdeep:	6144:Kpw0DDRCC51I7xeFAEyz2W+KYDbnYR104PhNzl7z6r:KawDRCQ1cxeFiITYv0sbZ4
Size:	271360
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut3634.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut3634.tmp
Category:	dropped
Dump:	aut3634.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Order Specifications for Materials.docx.exe
Type:	data
Entropy:	7.876565257134446
Encrypted:	false
Ssdeep:	6144:Kpw0DDRCC51I7xeFAEyz2W+KYDbnYR104PhNzl7z6r:KawDRCQ1cxeFiITYv0sbZ4
Size:	271360
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.11.dr
ID:	dr_5
Target ID:	11
Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Order Specifications for Materials.docx.exe

"C:\Users\user\Desktop\Order Specifications for Materials.docx.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7716
Target ID:	0
Parent PID:	3964
Name:	Order Specifications for Materials.docx.exe
Path:	C:\Users\user\Desktop\Order Specifications for Materials.docx.exe
Commandline:	"C:\Users\user\Desktop\Order Specifications for Materials.docx.exe"
Size:	1172992
MD5:	CA5E9B87E7C8B8DC2B60EDAD5B0EF4D5
Time:	20:19:10
Date:	02/04/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf0000
Modulesize:	1200128
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Order Specifications for Materials.docx.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7740
Target ID:	1
Parent PID:	7716
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Order Specifications for Materials.docx.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:19:11
Date:	02/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x900000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5708
Target ID:	8
Parent PID:	3964
Name:	sgxIb.exe
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:19:23
Date:	02/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xbe0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3040
Target ID:	11
Parent PID:	3964
Name:	sgxIb.exe
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:19:31
Date:	02/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xdd0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1432
Target ID:	9
Parent PID:	5708
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	20:19:23
Date:	02/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4036
Target ID:	12
Parent PID:	3040
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	20:19:31
Date:	02/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.3627265809.00000000029DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3627872448.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3629495623.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3630635978.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3630306285.00000000052D0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.3627265809.00000000029DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3629495623.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3630635978.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3630306285.00000000052D0000.00000004.08000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ftp.haliza.com.my

unknown

Details

Name:	http://ftp.haliza.com.my
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.3627872448.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3627872448.00000000032AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3627872448.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3627872448.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3627872448.0000000003217000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.3627872448.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.3627872448.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ftp.haliza.com.my

110.4.45.197

Details

Name:	ftp.haliza.com.my
IP:	110.4.45.197
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

110.4.45.197

ftp.haliza.com.my

Malaysia

Details

IP:	110.4.45.197
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Malaysia
Countrycode:	MYS
ASN number:	46015
ASN name:	EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Private:	false
Domain:	ftp.haliza.com.my

Signature Hits	Behavior Group	Mitre Attack
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

sgxIb

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

29DF000

heap

page read and write

3DC1000

trusted library allocation

page read and write

54D0000

trusted library section

page read and write

52D0000

trusted library section

page read and write

2E14000

trusted library allocation

page read and write

12EB000

trusted library allocation

page execute and read and write

15C7000

trusted library allocation

page execute and read and write

F5C000

heap

page read and write

5212000

trusted library allocation

page read and write

E90000

trusted library section

page read and write

15F0000

heap

page read and write

38D0000

direct allocation

page read and write

156E000

stack

page read and write

FCF000

heap

page read and write

D4B000

stack

page read and write

39F9000

direct allocation

page read and write

F0B000

trusted library allocation

page execute and read and write

F48000

heap

page read and write

6810000

trusted library allocation

page read and write

F02000

trusted library allocation

page read and write

99A000

stack

page read and write

725D000

stack

page read and write

2C70000

heap

page execute and read and write

1195000

heap

page read and write

7117000

heap

page read and write

F23000

heap

page read and write

1350000

heap

page read and write

33C0000

direct allocation

page read and write

6BE0000

trusted library allocation

page read and write

1AAE000

stack

page read and write

E7C000

stack

page read and write

591E000

stack

page read and write

2D3C000

stack

page read and write

5920000

heap

page read and write

4091000

trusted library allocation

page read and write

56FE000

stack

page read and write

2D60000

heap

page execute and read and write

5AB0000

trusted library allocation

page execute and read and write

F7F000

heap

page read and write

70CC000

stack

page read and write

BCF000

stack

page read and write

168C000

stack

page read and write

3E6F000

trusted library allocation

page read and write

2DC1000

trusted library allocation

page read and write

53C0000

trusted library allocation

page read and write

BEA000

unkown

page readonly

1A4000

unkown

page readonly

3B99000

direct allocation

page read and write

F1000

unkown

page execute read

EB8000

heap

page read and write

1AE000

unkown

page read and write

1640000

heap

page execute and read and write

4EBD000

stack

page read and write

6CEC000

heap

page read and write

F7C000

heap

page read and write

11E0000

heap

page read and write

130E000

heap

page read and write

3A70000

direct allocation

page read and write

F5C000

heap

page read and write

12F8000

heap

page read and write

62FB000

stack

page read and write

67E0000

trusted library allocation

page read and write

567E000

stack

page read and write

1230000

heap

page read and write

F5D000

heap

page read and write

53BE000

stack

page read and write

6826000

trusted library allocation

page read and write

F5C000

heap

page read and write

2BC8000

trusted library allocation

page read and write

116A000

stack

page read and write

535C000

stack

page read and write

1AE000

unkown

page write copy

3584000

heap

page read and write

CF8000

stack

page read and write

D60000

heap

page read and write

6804000

trusted library allocation

page read and write

EE2000

heap

page read and write

BDB000

stack

page read and write

F0000

unkown

page readonly

70E0000

heap

page read and write

1218000

heap

page read and write

7260000

trusted library allocation

page read and write

66BE000

stack

page read and write

F4F000

heap

page execute and read and write

15A0000

trusted library allocation

page read and write

2B10000

heap

page read and write

15E0000

trusted library allocation

page read and write

129F000

stack

page read and write

55CE000

stack

page read and write

3EC7000

trusted library allocation

page read and write

15CB000

trusted library allocation

page execute and read and write

EF6000

trusted library allocation

page execute and read and write

3080000

heap

page read and write

EF0000

heap

page read and write

2E10000

trusted library allocation

page read and write

EE0000

trusted library allocation

page read and write

EE6000

heap

page read and write

2C80000

heap

page read and write

5200000

trusted library allocation

page read and write

12B3000

trusted library allocation

page execute and read and write

6BD0000

trusted library allocation

page execute and read and write

12E7000

trusted library allocation

page execute and read and write

2DFA000

trusted library allocation

page read and write

2CB0000

heap

page read and write

571C000

stack

page read and write

E7C000

stack

page read and write

62BC000

stack

page read and write

8160000

heap

page read and write

1248000

heap

page read and write

2AD0000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

5360000

trusted library allocation

page execute and read and write

F23000

heap

page read and write

67F0000

trusted library allocation

page execute and read and write

7FD20000

trusted library allocation

page execute and read and write

522E000

stack

page read and write

691E000

stack

page read and write

39F3000

direct allocation

page read and write

DA0000

heap

page read and write

F85000

heap

page read and write

3B9D000

direct allocation

page read and write

6C3C000

stack

page read and write

61BC000

stack

page read and write

3B99000

direct allocation

page read and write

1B7000

unkown

page readonly

1100000

heap

page read and write

BE2000

unkown

page readonly

F57000

heap

page read and write

38D0000

direct allocation

page read and write

15A4000

trusted library allocation

page read and write

56BE000

stack

page read and write

BFC000

stack

page read and write

3091000

trusted library allocation

page read and write

573C000

heap

page read and write

57EF000

heap

page read and write

BBF000

stack

page read and write

38D0000

direct allocation

page read and write

EF0000

heap

page read and write

F5D000

heap

page read and write

E30000

heap

page read and write

EF2000

trusted library allocation

page read and write

522D000

trusted library allocation

page read and write

F23000

heap

page read and write

6840000

trusted library allocation

page execute and read and write

C00000

heap

page read and write

3A6E000

direct allocation

page read and write

5226000

trusted library allocation

page read and write

111C000

stack

page read and write

10FE000

stack

page read and write

D00000

heap

page read and write

6820000

trusted library allocation

page read and write

1B2000

unkown

page write copy

560E000

stack

page read and write

D1D000

stack

page read and write

6B1C000

stack

page read and write

38D0000

direct allocation

page read and write

EAB000

heap

page read and write

2E67000

trusted library allocation

page read and write

12B4000

trusted library allocation

page read and write

426000

system

page execute and read and write

5610000

trusted library allocation

page execute and read and write

12E0000

trusted library allocation

page read and write

599000

stack

page read and write

2B5E000

stack

page read and write

5570000

trusted library allocation

page read and write

5720000

heap

page read and write

2BB0000

heap

page read and write

2BA0000

trusted library allocation

page read and write

2B9C000

stack

page read and write

EFD000

heap

page read and write

67BE000

stack

page read and write

101F000

heap

page read and write

3580000

heap

page read and write

2D40000

heap

page read and write

520B000

trusted library allocation

page read and write

657D000

stack

page read and write

2E03000

trusted library allocation

page read and write

52C0000

heap

page execute and read and write

1BA0000

direct allocation

page read and write

585E000

stack

page read and write

7110000

heap

page read and write

57D9000

heap

page read and write

3A6E000

direct allocation

page read and write

5232000

trusted library allocation

page read and write

15C0000

trusted library allocation

page read and write

1690000

trusted library allocation

page execute and read and write

2CB7000

heap

page read and write

5380000

trusted library allocation

page read and write

ED4000

trusted library allocation

page read and write

34E3000

direct allocation

page read and write

3B9D000

direct allocation

page read and write

F46000

heap

page read and write

306F000

stack

page read and write

2D70000

heap

page read and write

F45000

heap

page read and write

1313000

heap

page read and write

34E3000

direct allocation

page read and write

1180000

heap

page read and write

6920000

trusted library allocation

page execute and read and write

BE0000

unkown

page readonly

ED3000

trusted library allocation

page execute and read and write

F5C000

heap

page read and write

39F3000

direct allocation

page read and write

FE0000

heap

page read and write

17F000

unkown

page readonly

2CA0000

trusted library allocation

page read and write

F79000

stack

page read and write

2C60000

trusted library allocation

page read and write

D5E000

stack

page read and write

63FD000

stack

page read and write

152E000

stack

page read and write

2AF0000

trusted library allocation

page read and write

3E87000

trusted library allocation

page read and write

3B99000

direct allocation

page read and write

5AA0000

heap

page read and write

32AA000

trusted library allocation

page read and write

EB0000

trusted library section

page read and write

17CF000

stack

page read and write

38D0000

direct allocation

page read and write

581F000

stack

page read and write

1550000

heap

page read and write

39FD000

direct allocation

page read and write

6BC0000

heap

page read and write

F10000

heap

page read and write

5929000

heap

page read and write

EC0000

trusted library allocation

page read and write

135A000

heap

page read and write

EE2000

heap

page read and write

F30000

heap

page read and write

1327000

heap

page read and write

FB2000

heap

page read and write

EDD000

trusted library allocation

page execute and read and write

131A000

heap

page read and write

1210000

heap

page read and write

EB0000

heap

page read and write

12C4000

trusted library allocation

page read and write

521E000

trusted library allocation

page read and write

667E000

stack

page read and write

F44000

heap

page read and write

F1000

unkown

page execute read

6B9E000

stack

page read and write

F5A000

heap

page read and write

5520000

heap

page read and write

53CD000

trusted library allocation

page read and write

F5C000

heap

page read and write

E60000

heap

page read and write

F28000

heap

page read and write

6CE0000

heap

page read and write

D55000

heap

page read and write

F23000

heap

page read and write

3A6E000

direct allocation

page read and write

548E000

stack

page read and write

121C000

stack

page read and write

F44000

heap

page read and write

F44000

heap

page read and write

FCB000

heap

page read and write

520E000

trusted library allocation

page read and write

558E000

stack

page read and write

595F000

stack

page read and write

1500000

trusted library allocation

page read and write

2F1B000

trusted library allocation

page read and write

ED3000

heap

page read and write

39F9000

direct allocation

page read and write

38D0000

direct allocation

page read and write

12BD000

trusted library allocation

page execute and read and write

15AD000

trusted library allocation

page execute and read and write

F05000

trusted library allocation

page execute and read and write

F14000

heap

page read and write

D50000

heap

page read and write

33C0000

direct allocation

page read and write

715B000

stack

page read and write

1A4000

unkown

page readonly

123B000

heap

page read and write

5750000

heap

page execute and read and write

F0000

unkown

page readonly

F50000

heap

page read and write

F56000

heap

page execute and read and write

5610000

heap

page execute and read and write

52A0000

trusted library allocation

page read and write

EED000

trusted library allocation

page execute and read and write

39F3000

direct allocation

page read and write

6A1C000

unkown

page read and write

1580000

trusted library allocation

page read and write

2E7F000

stack

page read and write

6930000

trusted library allocation

page read and write

159D000

trusted library allocation

page execute and read and write

134E000

stack

page read and write

445000

system

page execute and read and write

1594000

trusted library allocation

page read and write

2E81000

trusted library allocation

page read and write

3A70000

direct allocation

page read and write

68DE000

stack

page read and write

EF0000

heap

page read and write

1355000

heap

page read and write

5420000

trusted library allocation

page execute and read and write

39FD000

direct allocation

page read and write

571F000

stack

page read and write

F44000

heap

page read and write

5A30000

heap

page read and write

5762000

heap

page read and write

EF0000

trusted library allocation

page read and write

11D0000

heap

page read and write

114E000

stack

page read and write

1190000

heap

page read and write

39FD000

direct allocation

page read and write

2AE0000

trusted library allocation

page execute and read and write

6800000

trusted library allocation

page read and write

6830000

trusted library allocation

page read and write

3C0E000

direct allocation

page read and write

34E3000

direct allocation

page read and write

3B9D000

direct allocation

page read and write

1C10000

heap

page read and write

12F0000

heap

page read and write

576E000

heap

page read and write

F5C000

heap

page read and write

3C0E000

direct allocation

page read and write

F07000

trusted library allocation

page execute and read and write

FD3000

heap

page read and write

16AE000

stack

page read and write

12CD000

trusted library allocation

page execute and read and write

3A70000

direct allocation

page read and write

501E000

stack

page read and write

1593000

trusted library allocation

page execute and read and write

1235000

heap

page read and write

F20000

heap

page read and write

70D0000

heap

page read and write

6B5E000

stack

page read and write

EE3000

trusted library allocation

page read and write

F5C000

heap

page read and write

5370000

trusted library allocation

page read and write

F46000

heap

page read and write

3E81000

trusted library allocation

page read and write

163E000

stack

page read and write

EE3000

heap

page read and write

106C000

stack

page read and write

EFA000

trusted library allocation

page execute and read and write

EA7000

heap

page read and write

39F9000

direct allocation

page read and write

16C0000

heap

page read and write

EF0000

heap

page read and write

1B7000

unkown

page readonly

54CE000

stack

page read and write

F46000

heap

page read and write

ED0000

trusted library allocation

page read and write

33C0000

direct allocation

page read and write

2DBE000

stack

page read and write

7100000

trusted library allocation

page read and write

5221000

trusted library allocation

page read and write

154E000

stack

page read and write

16A0000

heap

page read and write

F0E000

heap

page read and write

527E000

stack

page read and write

F5C000

heap

page read and write

EA0000

heap

page read and write

5A5F000

stack

page read and write

8170000

heap

page read and write

3217000

trusted library allocation

page read and write

3070000

trusted library allocation

page read and write

67E7000

trusted library allocation

page read and write

12C0000

trusted library allocation

page read and write

14EF000

stack

page read and write

17F000

unkown

page readonly

400000

system

page execute and read and write

3C0E000

direct allocation

page read and write

There are 354 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order Specifications for Materials.docx.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder Specifications for Materials.docx.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Order Specifications for Materials.docx.exe