Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z1quote93039-pdf.exe

"C:\Users\user\Desktop\z1quote93039-pdf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6512
Target ID:	0
Parent PID:	1028
Name:	z1quote93039-pdf.exe
Path:	C:\Users\user\Desktop\z1quote93039-pdf.exe
Commandline:	"C:\Users\user\Desktop\z1quote93039-pdf.exe"
Size:	1200301
MD5:	1B772B5B66B9ADC3B67EAE3627E75059
Time:	05:59:56
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\z1quote93039-pdf.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3276
Target ID:	2
Parent PID:	6512
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\z1quote93039-pdf.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	06:00:01
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://mail.zqamcx.com

unknown

Details

Name:	http://mail.zqamcx.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

http://zqamcx.com

unknown

Details

Name:	http://zqamcx.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

http://r11.o.lencr.org0#

unknown

Details

Name:	http://r11.o.lencr.org0#
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r11.i.lencr.org/0#

unknown

Details

Name:	http://r11.i.lencr.org/0#
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

zqamcx.com

78.110.166.82

Details

Name:	zqamcx.com
IP:	78.110.166.82
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.zqamcx.com

unknown

Details

Name:	mail.zqamcx.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

78.110.166.82

zqamcx.com

United Kingdom

Details

IP:	78.110.166.82
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	42831
ASN name:	UKSERVERS-ASUKDedicatedServersHostingandCo-Location
Private:	false
Domain:	zqamcx.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

2CB1000

trusted library allocation

page read and write

2D28000

trusted library allocation

page read and write

2CFE000

trusted library allocation

page read and write

402000

system

page execute and read and write

46FD000

direct allocation

page read and write

3844000

heap

page read and write

41BD000

heap

page read and write

4AB000

unkown

page readonly

F46000

heap

page read and write

41BD000

heap

page read and write

3843000

heap

page read and write

41BD000

heap

page read and write

3841000

heap

page read and write

51A6000

trusted library allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

3848000

heap

page read and write

384D000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

44F6000

heap

page read and write

384D000

heap

page read and write

46F9000

direct allocation

page read and write

384C000

heap

page read and write

3841000

heap

page read and write

2A60000

trusted library allocation

page read and write

6220000

heap

page read and write

44FA000

heap

page read and write

41B5000

heap

page read and write

4553000

direct allocation

page read and write

41BD000

heap

page read and write

2CFC000

trusted library allocation

page read and write

51D2000

trusted library allocation

page read and write

4169000

heap

page read and write

384F000

heap

page read and write

41BC000

heap

page read and write

41BD000

heap

page read and write

3841000

heap

page read and write

41BD000

heap

page read and write

2A9A000

trusted library allocation

page execute and read and write

44FA000

heap

page read and write

DF0000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

384E000

heap

page read and write

4430000

direct allocation

page read and write

41BD000

heap

page read and write

4553000

direct allocation

page read and write

44F3000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

60F0000

trusted library allocation

page execute and read and write

EEB000

heap

page read and write

EDA000

heap

page read and write

44FE000

heap

page read and write

44FF000

heap

page read and write

41BD000

heap

page read and write

384D000

heap

page read and write

41BD000

heap

page read and write

2A74000

trusted library allocation

page read and write

51BA000

trusted library allocation

page read and write

41AD000

heap

page read and write

41BD000

heap

page read and write

6261000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

476E000

direct allocation

page read and write

384F000

heap

page read and write

2AA0000

trusted library allocation

page read and write

2B0E000

stack

page read and write

41BD000

heap

page read and write

4438000

heap

page read and write

41BD000

heap

page read and write

3846000

heap

page read and write

2AA2000

trusted library allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

2C6E000

stack

page read and write

490000

unkown

page write copy

41BD000

heap

page read and write

52EC000

trusted library allocation

page read and write

41BD000

heap

page read and write

3841000

heap

page read and write

44F8000

heap

page read and write

44F5000

heap

page read and write

41BD000

heap

page read and write

476E000

direct allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

4430000

direct allocation

page read and write

3844000

heap

page read and write

384C000

heap

page read and write

3845000

heap

page read and write

51BE000

trusted library allocation

page read and write

2AA5000

trusted library allocation

page execute and read and write

52BE000

stack

page read and write

41BD000

heap

page read and write

525C000

stack

page read and write

44FD000

heap

page read and write

41BD000

heap

page read and write

6289000

heap

page read and write

6A90000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

52E0000

trusted library allocation

page read and write

384F000

heap

page read and write

51A4000

trusted library allocation

page read and write

4148000

heap

page read and write

44FF000

heap

page read and write

44FA000

heap

page read and write

41BD000

heap

page read and write

EB0000

heap

page read and write

41BD000

heap

page read and write

3842000

heap

page read and write

41BD000

heap

page read and write

51AB000

trusted library allocation

page read and write

4138000

heap

page read and write

41B5000

heap

page read and write

3CD9000

trusted library allocation

page read and write

3847000

heap

page read and write

41BD000

heap

page read and write

4553000

direct allocation

page read and write

44F2000

heap

page read and write

60E0000

trusted library allocation

page read and write

41BD000

heap

page read and write

384D000

heap

page read and write

2A8D000

trusted library allocation

page execute and read and write

2CA0000

heap

page read and write

3CB1000

trusted library allocation

page read and write

41BD000

heap

page read and write

476E000

direct allocation

page read and write

41B4000

heap

page read and write

384D000

heap

page read and write

55FE000

stack

page read and write

3840000

heap

page read and write

384D000

heap

page read and write

2A7D000

trusted library allocation

page execute and read and write

58A0000

trusted library allocation

page read and write

44FF000

heap

page read and write

6AA0000

trusted library allocation

page execute and read and write

51F0000

trusted library allocation

page read and write

4430000

direct allocation

page read and write

384A000

heap

page read and write

691F000

stack

page read and write

44F0000

heap

page read and write

3845000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

44F6000

heap

page read and write

52F0000

heap

page read and write

3845000

heap

page read and write

52F3000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

3843000

heap

page read and write

41BD000

heap

page read and write

384F000

heap

page read and write

51B2000

trusted library allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

587F000

stack

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

44FF000

heap

page read and write

2AA7000

trusted library allocation

page execute and read and write

41BD000

heap

page read and write

52D0000

trusted library allocation

page read and write

44F0000

heap

page read and write

ECE000

heap

page read and write

44FF000

heap

page read and write

63A0000

trusted library allocation

page read and write

2A80000

trusted library allocation

page read and write

D89000

stack

page read and write

46F9000

direct allocation

page read and write

44F9000

heap

page read and write

4553000

direct allocation

page read and write

2D24000

trusted library allocation

page read and write

E60000

heap

page read and write

41BD000

heap

page read and write

45D0000

direct allocation

page read and write

2A70000

trusted library allocation

page read and write

41BB000

heap

page read and write

44FE000

heap

page read and write

4E4D000

stack

page read and write

EE5000

heap

page read and write

6140000

trusted library allocation

page execute and read and write

41BD000

heap

page read and write

44F7000

heap

page read and write

44F9000

heap

page read and write

6A60000

trusted library allocation

page read and write

54FC000

stack

page read and write

5200000

trusted library allocation

page read and write

384A000

heap

page read and write

384E000

heap

page read and write

F99000

heap

page read and write

4430000

direct allocation

page read and write

51A0000

trusted library allocation

page read and write

44F7000

heap

page read and write

41B6000

heap

page read and write

41BD000

heap

page read and write

44F7000

heap

page read and write

2C70000

trusted library allocation

page read and write

41BD000

heap

page read and write

46FD000

direct allocation

page read and write

384B000

heap

page read and write

41BD000

heap

page read and write

384A000

heap

page read and write

2D30000

trusted library allocation

page read and write

F1F000

heap

page read and write

44F3000

heap

page read and write

41BD000

heap

page read and write

60E6000

trusted library allocation

page read and write

41BD000

heap

page read and write

3847000

heap

page read and write

41BD000

heap

page read and write

44F2000

heap

page read and write

44FE000

heap

page read and write

6D90000

heap

page read and write

2A90000

trusted library allocation

page read and write

46F9000

direct allocation

page read and write

46FD000

direct allocation

page read and write

41BD000

heap

page read and write

2B60000

heap

page execute and read and write

44FC000

heap

page read and write

63A7000

trusted library allocation

page read and write

41BD000

heap

page read and write

384F000

heap

page read and write

41BD000

heap

page read and write

2AAB000

trusted library allocation

page execute and read and write

41BD000

heap

page read and write

613D000

stack

page read and write

4138000

heap

page read and write

45D0000

direct allocation

page read and write

44F7000

heap

page read and write

44FE000

heap

page read and write

41BD000

heap

page read and write

384D000

heap

page read and write

621E000

stack

page read and write

3849000

heap

page read and write

3840000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

573E000

stack

page read and write

3848000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

4138000

heap

page read and write

44FC000

heap

page read and write

44FE000

heap

page read and write

44F8000

heap

page read and write

2B4C000

stack

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

2C80000

heap

page read and write

51CD000

trusted library allocation

page read and write

51E0000

heap

page execute and read and write

52D8000

trusted library allocation

page read and write

44F6000

heap

page read and write

3844000

heap

page read and write

41BD000

heap

page read and write

51AE000

trusted library allocation

page read and write

44FE000

heap

page read and write

46F9000

direct allocation

page read and write

E00000

heap

page read and write

4430000

direct allocation

page read and write

384A000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

3848000

heap

page read and write

E65000

heap

page read and write

44F6000

heap

page read and write

44F0000

heap

page read and write

41BD000

heap

page read and write

4CB8000

trusted library allocation

page read and write

3845000

heap

page read and write

400000

system

page execute and read and write

45D0000

direct allocation

page read and write

63B0000

trusted library allocation

page read and write

3848000

heap

page read and write

3D17000

trusted library allocation

page read and write

44FF000

heap

page read and write

400000

unkown

page readonly

2A92000

trusted library allocation

page read and write

44F4000

heap

page read and write

51C1000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

3842000

heap

page read and write

482000

unkown

page readonly

384E000

heap

page read and write

C8A000

stack

page read and write

F33000

heap

page read and write

41BD000

heap

page read and write

2A96000

trusted library allocation

page execute and read and write

3848000

heap

page read and write

41BD000

heap

page read and write

E10000

heap

page read and write

44F5000

heap

page read and write

7F050000

trusted library allocation

page execute and read and write

51C6000

trusted library allocation

page read and write

2D17000

trusted library allocation

page read and write

41BD000

heap

page read and write

A63000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

F3F000

heap

page read and write

384C000

heap

page read and write

44F1000

heap

page read and write

46FD000

direct allocation

page read and write

45D0000

direct allocation

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

EB8000

heap

page read and write

44F4000

heap

page read and write

EE8000

heap

page read and write

5300000

heap

page read and write

476E000

direct allocation

page read and write

44F2000

heap

page read and write

401000

unkown

page execute read

577E000

stack

page read and write

44FF000

heap

page read and write

44F6000

heap

page read and write

655D000

stack

page read and write

44F9000

heap

page read and write

2B50000

trusted library allocation

page execute and read and write

41BD000

heap

page read and write

E80000

heap

page read and write

41B9000

heap

page read and write

61DE000

stack

page read and write

41BD000

heap

page read and write

2A73000

trusted library allocation

page execute and read and write

41BD000

heap

page read and write

44F7000

heap

page read and write

41BD000

heap

page read and write

384E000

heap

page read and write

681E000

stack

page read and write

384B000

heap

page read and write

44F6000

heap

page read and write

5190000

trusted library allocation

page read and write

44F8000

heap

page read and write

563E000

stack

page read and write

41BD000

heap

page read and write

44F5000

heap

page read and write

418A000

heap

page read and write

F84000

heap

page read and write

41BD000

heap

page read and write

41BD000

heap

page read and write

384F000

heap

page read and write

There are 343 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z1quote93039-pdf.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz1quote93039-pdf.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
z1quote93039-pdf.exe