Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Leoch-Purchase Order.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.278387447678832
Filename:	Leoch-Purchase Order.exe
Filesize:	354304
MD5:	3825ed31a02b3d690c3d43a1e3808d1a
SHA1:	82b16668205bd4ca4b5c6119be08a9cfcc5248d6
SHA256:	d0bbc42f00f4cf1b59db6e2c2b13fe64bdd85c43e8209493b46119fbcc945db8
SHA512:	3d6cecea0aa67f3e875107f408d278c45948ba497def9fc31c5f2bdca74dbb98f6cf84d42c7472842897793e637c8cf12139ac1fabe6d75d43618d43980526d6
SSDEEP:	6144:Xk67U5g5NTax7p9S44HtAs7EgaIgai/rBUEjh7g/+qUMwe/vqtapko+QZKAJ7CZz:d7U25NTaNpkRNA0Jpgdj3VHZ+q7ofZ7U
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f f.................>...(.......\... ...`....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery
Sample has a suspicious name (potential lure to open the executable)	System Summary
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Contains functionality to modify the execution of threads in other processes
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Category:	dropped
Dump:	uaAWu.exe.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.278387447678832
Encrypted:	false
Ssdeep:	6144:Xk67U5g5NTax7p9S44HtAs7EgaIgai/rBUEjh7g/+qUMwe/vqtapko+QZKAJ7CZz:d7U25NTaNpkRNA0Jpgdj3VHZ+q7ofZ7U
Size:	354304
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
One or more processes crash	System Summary
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe:Zone.Identifier
Category:	modified
Dump:	uaAWu.exe_Zone.Identifier.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
One or more processes crash	System Summary
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Leoch-Purchase Order.exe

"C:\Users\user\Desktop\Leoch-Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7408
Target ID:	0
Parent PID:	2580
Name:	Leoch-Purchase Order.exe
Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Size:	354304
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
Time:	06:28:55
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6d0000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Leoch-Purchase Order.exe

"C:\Users\user\Desktop\Leoch-Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	1
Parent PID:	7408
Name:	Leoch-Purchase Order.exe
Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Leoch-Purchase Order.exe"
Size:	354304
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
Time:	06:28:55
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6b0000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7628
Target ID:	2
Parent PID:	2580
Name:	uaAWu.exe
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Size:	354304
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
Time:	06:29:05
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x360000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7660
Target ID:	3
Parent PID:	7628
Name:	uaAWu.exe
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Size:	354304
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
Time:	06:29:06
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x370000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe

"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7776
Target ID:	7
Parent PID:	7628
Name:	uaAWu.exe
Path:	C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe
Commandline:	"C:\Users\user\AppData\Roaming\uaAWu\uaAWu.exe"
Size:	354304
MD5:	3825ED31A02B3D690C3D43A1E3808D1A
Time:	06:29:07
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xf30000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80

Details

Is windows:	true
Is dropped:	false
PID:	7744
Target ID:	6
Parent PID:	7660
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 80
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	06:29:06
Date:	18/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x610000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	1
From Memory:	false
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2894274210.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.voivocars.com

unknown

Details

Name:	http://mail.voivocars.com
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.000000000334C000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.microsoft.c

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	Leoch-Purchase Order.exe, 00000000.00000002.1655876034.0000000003A74000.00000004.00000800.00020000.00000000.sdmp, Leoch-Purchase Order.exe, 00000000.00000002.1656188733.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2894270079.0000000000436000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://microsoft.coo

unknown

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Source:	Leoch-Purchase Order.exe, 00000001.00000002.2895748774.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, uaAWu.exe, 00000007.00000002.2895870683.00000000032D1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.voivocars.com

46.175.145.107

Details

Name:	mail.voivocars.com
IP:	46.175.145.107
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

46.175.145.107

mail.voivocars.com

Ukraine

Details

IP:	46.175.145.107
TargetID:	1
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Country:	Ukraine
Countrycode:	UKR
ASN number:	56394
ASN name:	ASLAGIDKOM-NETUA
Private:	false
Domain:	mail.voivocars.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	1
Current Path:	C:\Users\user\Desktop\Leoch-Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Leoch-Purchase Order_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

uaAWu

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\uaAWu_RASMANCS

FileDirectory

There are 20 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

334C000

trusted library allocation

page read and write

2D21000

trusted library allocation

page read and write

2D4C000

trusted library allocation

page read and write

3A74000

trusted library allocation

page read and write

436000

remote allocation

page execute and read and write

4F60000

direct allocation

page execute and read and write

3321000

trusted library allocation

page read and write

F42000

trusted library allocation

page read and write

3311000

trusted library allocation

page read and write

1440000

heap

page read and write

CF4000

trusted library allocation

page read and write

F30000

trusted library allocation

page read and write

67D0000

trusted library allocation

page read and write

6F4D000

stack

page read and write

514E000

stack

page read and write

7050000

trusted library allocation

page read and write

D17000

trusted library allocation

page execute and read and write

6A0F000

stack

page read and write

D2D000

heap

page read and write

32D1000

trusted library allocation

page read and write

895000

heap

page read and write

1892000

trusted library allocation

page read and write

6660000

trusted library allocation

page read and write

F47000

trusted library allocation

page execute and read and write

1528000

heap

page read and write

5150000

heap

page read and write

3D3C000

trusted library allocation

page read and write

6F00000

trusted library allocation

page read and write

6C4E000

stack

page read and write

A7D000

trusted library allocation

page execute and read and write

7F100000

trusted library allocation

page execute and read and write

545E000

stack

page read and write

CF0000

trusted library allocation

page read and write

D28000

heap

page read and write

325E000

trusted library allocation

page read and write

F1D000

trusted library allocation

page execute and read and write

D1B000

trusted library allocation

page execute and read and write

6F70000

trusted library allocation

page execute and read and write

383B000

trusted library allocation

page read and write

572D000

stack

page read and write

79A000

stack

page read and write

402000

remote allocation

page execute and read and write

6B90000

heap

page read and write

68CE000

stack

page read and write

18C0000

trusted library allocation

page read and write

1874000

trusted library allocation

page read and write

3A71000

trusted library allocation

page read and write

3CD1000

trusted library allocation

page read and write

3354000

trusted library allocation

page read and write

25B0000

heap

page execute and read and write

17A0000

trusted library allocation

page read and write

5031000

trusted library allocation

page read and write

1380000

heap

page read and write

F50000

trusted library allocation

page read and write

501B000

trusted library allocation

page read and write

1870000

trusted library allocation

page read and write

3346000

trusted library allocation

page read and write

6A20000

heap

page read and write

335C000

trusted library allocation

page read and write

52D8000

trusted library allocation

page read and write

528F000

stack

page read and write

A9A000

trusted library allocation

page execute and read and write

1960000

trusted library allocation

page execute and read and write

5820000

heap

page read and write

6DCE000

stack

page read and write

1896000

trusted library allocation

page execute and read and write

65C000

stack

page read and write

163E000

stack

page read and write

F14000

trusted library allocation

page read and write

1670000

heap

page read and write

5070000

heap

page read and write

6AA2000

heap

page read and write

18A5000

trusted library allocation

page execute and read and write

3876000

trusted library allocation

page read and write

A84000

trusted library allocation

page read and write

1480000

heap

page read and write

299E000

stack

page read and write

CE0000

trusted library allocation

page read and write

18A2000

trusted library allocation

page read and write

6A2F000

heap

page read and write

A74000

trusted library allocation

page read and write

279E000

trusted library allocation

page read and write

6F07000

trusted library allocation

page read and write

559E000

stack

page read and write

5022000

trusted library allocation

page read and write

1339000

stack

page read and write

BFF000

stack

page read and write

14F7000

heap

page read and write

AF9000

stack

page read and write

F40000

trusted library allocation

page execute and read and write

32B0000

heap

page execute and read and write

D60000

heap

page read and write

A60000

trusted library allocation

page read and write

42F9000

trusted library allocation

page read and write

AF0000

heap

page read and write

CC6000

heap

page read and write

1390000

heap

page read and write

6D2000

unkown

page readonly

67E0000

trusted library allocation

page read and write

66E0000

trusted library allocation

page execute and read and write

648E000

stack

page read and write

549F000

stack

page read and write

D40000

heap

page read and write

F32000

trusted library allocation

page read and write

F07000

heap

page read and write

518E000

stack

page read and write

F13000

trusted library allocation

page execute and read and write

BE0000

heap

page read and write

433000

remote allocation

page execute and read and write

F4B000

trusted library allocation

page execute and read and write

1530000

heap

page read and write

18A7000

trusted library allocation

page execute and read and write

326A000

trusted library allocation

page read and write

6F60000

trusted library allocation

page execute and read and write

3276000

trusted library allocation

page read and write

1650000

trusted library allocation

page read and write

6670000

trusted library allocation

page read and write

1520000

heap

page read and write

3250000

trusted library allocation

page read and write

26C1000

trusted library allocation

page read and write

D10000

heap

page read and write

6EF7000

trusted library allocation

page read and write

514E000

stack

page read and write

C90000

heap

page read and write

D20000

heap

page read and write

3271000

trusted library allocation

page read and write

6A10000

heap

page read and write

152C000

stack

page read and write

4BAE000

stack

page read and write

6EF0000

trusted library allocation

page read and write

2D48000

trusted library allocation

page read and write

B00000

heap

page read and write

1420000

heap

page read and write

F3A000

trusted library allocation

page execute and read and write

CE4000

trusted library allocation

page read and write

5010000

trusted library allocation

page read and write

19A0000

heap

page read and write

890000

heap

page read and write

C10000

heap

page read and write

3290000

trusted library allocation

page read and write

F70000

heap

page read and write

14B5000

heap

page read and write

32C0000

heap

page read and write

8A0000

heap

page read and write

664F000

stack

page read and write

330F000

trusted library allocation

page read and write

FBE000

stack

page read and write

19A7000

heap

page read and write

F36000

trusted library allocation

page execute and read and write

2570000

direct allocation

page execute and read and write

6F50000

heap

page read and write

1860000

trusted library allocation

page read and write

5CEE000

stack

page read and write

8EE000

stack

page read and write

188D000

trusted library allocation

page execute and read and write

1980000

trusted library allocation

page read and write

51CC000

stack

page read and write

545E000

stack

page read and write

5A2C000

stack

page read and write

2D4A000

trusted library allocation

page read and write

3800000

trusted library allocation

page read and write

654E000

stack

page read and write

940000

heap

page read and write

EF0000

trusted library allocation

page read and write

5823000

heap

page read and write

D4B000

heap

page read and write

14AA000

heap

page read and write

6EFD000

trusted library allocation

page read and write

6ECE000

stack

page read and write

435000

remote allocation

page execute and read and write

4F7E000

stack

page read and write

3307000

trusted library allocation

page read and write

9C2000

heap

page read and write

1445000

heap

page read and write

980000

heap

page read and write

502A000

trusted library allocation

page read and write

6EF5000

trusted library allocation

page read and write

667D000

trusted library allocation

page read and write

D62000

heap

page read and write

75D000

stack

page read and write

DA5000

heap

page read and write

6687000

trusted library allocation

page read and write

AAB000

trusted library allocation

page execute and read and write

324F000

stack

page read and write

433D000

trusted library allocation

page read and write

5B6F000

stack

page read and write

189A000

trusted library allocation

page execute and read and write

255D000

stack

page read and write

D3E000

stack

page read and write

1873000

trusted library allocation

page execute and read and write

D1E000

heap

page read and write

36C4000

trusted library allocation

page read and write

1794000

trusted library allocation

page read and write

B20000

heap

page read and write

518D000

stack

page read and write

502E000

trusted library allocation

page read and write

D65000

heap

page read and write

66CE000

stack

page read and write

606E000

stack

page read and write

D70000

heap

page read and write

2D46000

trusted library allocation

page read and write

4DFE000

stack

page read and write

F00000

heap

page read and write

3CF9000

trusted library allocation

page read and write

26BE000

stack

page read and write

759000

stack

page read and write

67E7000

trusted library allocation

page read and write

6499000

heap

page read and write

7054000

trusted library allocation

page read and write

18AB000

trusted library allocation

page execute and read and write

D47000

heap

page read and write

4AAE000

stack

page read and write

325B000

trusted library allocation

page read and write

F2D000

trusted library allocation

page execute and read and write

65C000

stack

page read and write

5050000

heap

page read and write

1790000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

1890000

trusted library allocation

page read and write

4FE0000

trusted library allocation

page read and write

57EC000

stack

page read and write

1458000

trusted library allocation

page read and write

5DD0000

heap

page read and write

503D000

trusted library allocation

page read and write

7B0000

heap

page read and write

5042000

trusted library allocation

page read and write

CBA000

heap

page read and write

A80000

trusted library allocation

page read and write

327D000

trusted library allocation

page read and write

7420000

trusted library allocation

page execute and read and write

690E000

stack

page read and write

AD0000

trusted library allocation

page execute and read and write

2A71000

trusted library allocation

page read and write

CAE000

heap

page read and write

CD0000

trusted library allocation

page read and write

94E000

heap

page read and write

10FF000

stack

page read and write

2D0F000

trusted library allocation

page read and write

5052000

heap

page read and write

4CA0000

trusted library allocation

page read and write

195C000

stack

page read and write

7067000

trusted library allocation

page read and write

1970000

trusted library allocation

page read and write

73D0000

trusted library allocation

page read and write

507E000

stack

page read and write

AF9000

stack

page read and write

1640000

trusted library allocation

page execute and read and write

528D000

stack

page read and write

187D000

trusted library allocation

page execute and read and write

1555000

heap

page read and write

D37000

heap

page read and write

FF0000

heap

page read and write

6A60000

heap

page read and write

144E000

stack

page read and write

678E000

stack

page read and write

948000

heap

page read and write

6D8E000

stack

page read and write

555E000

stack

page read and write

1680000

heap

page execute and read and write

5DAD000

stack

page read and write

334A000

trusted library allocation

page read and write

62EE000

stack

page read and write

546E000

stack

page read and write

422000

remote allocation

page execute and read and write

6BA0000

trusted library allocation

page execute and read and write

5BAE000

stack

page read and write

1559000

heap

page read and write

149E000

heap

page read and write

974000

heap

page read and write

6EE0000

trusted library allocation

page read and write

6680000

trusted library allocation

page read and write

5016000

trusted library allocation

page read and write

A73000

trusted library allocation

page execute and read and write

1990000

trusted library allocation

page read and write

52CE000

stack

page read and write

64B5000

heap

page read and write

D2E000

heap

page read and write

CC8000

heap

page read and write

F60000

heap

page read and write

CFF000

stack

page read and write

569E000

stack

page read and write

66F0000

trusted library allocation

page execute and read and write

14B7000

heap

page read and write

2D5C000

trusted library allocation

page read and write

602E000

stack

page read and write

326E000

trusted library allocation

page read and write

18A0000

trusted library allocation

page read and write

61AE000

stack

page read and write

504E000

stack

page read and write

1673000

heap

page read and write

123A000

stack

page read and write

F1E000

stack

page read and write

6B50000

trusted library allocation

page read and write

66D0000

heap

page read and write

3762000

trusted library allocation

page read and write

190E000

stack

page read and write

5CAE000

stack

page read and write

5A6E000

stack

page read and write

531E000

stack

page read and write

6A95000

heap

page read and write

B30000

heap

page read and write

1880000

trusted library allocation

page read and write

62AE000

stack

page read and write

2D11000

trusted library allocation

page read and write

F45000

trusted library allocation

page execute and read and write

1400000

trusted library allocation

page read and write

2D1D000

trusted library allocation

page read and write

C98000

heap

page read and write

8C0000

heap

page read and write

FD0000

heap

page read and write

6ABB000

heap

page read and write

2CD1000

trusted library allocation

page read and write

1910000

heap

page execute and read and write

6A62000

heap

page read and write

7410000

heap

page read and write

96C000

heap

page read and write

1488000

heap

page read and write

6B4E000

stack

page read and write

AA7000

trusted library allocation

page execute and read and write

43E000

remote allocation

page execute and read and write

7060000

trusted library allocation

page read and write

1450000

heap

page read and write

616E000

stack

page read and write

36C1000

trusted library allocation

page read and write

4F3E000

stack

page read and write

6452000

heap

page read and write

6EE8000

trusted library allocation

page read and write

75B0000

heap

page read and write

155F000

heap

page read and write

AE0000

trusted library allocation

page read and write

541E000

stack

page read and write

7BC000

stack

page read and write

4CFE000

stack

page read and write

5830000

heap

page read and write

F10000

trusted library allocation

page read and write

63EE000

stack

page read and write

421000

remote allocation

page execute and read and write

501E000

trusted library allocation

page read and write

C9E000

stack

page read and write

530E000

stack

page read and write

F20000

trusted library allocation

page read and write

6410000

heap

page read and write

6414000

heap

page read and write

4E3E000

stack

page read and write

485D000

stack

page read and write

73E0000

trusted library allocation

page read and write

CE3000

trusted library allocation

page execute and read and write

1796000

trusted library allocation

page read and write

510D000

stack

page read and write

52CE000

stack

page read and write

2D07000

trusted library allocation

page read and write

1660000

trusted library allocation

page read and write

5730000

heap

page read and write

1553000

heap

page read and write

FC0000

direct allocation

page execute and read and write

C30000

heap

page read and write

2D54000

trusted library allocation

page read and write

D48000

heap

page read and write

6D0000

unkown

page readonly

423000

remote allocation

page execute and read and write

A70000

trusted library allocation

page read and write

53CF000

stack

page read and write

42D1000

trusted library allocation

page read and write

700F000

stack

page read and write

3348000

trusted library allocation

page read and write

7FA40000

trusted library allocation

page execute and read and write

331D000

trusted library allocation

page read and write

6C8E000

stack

page read and write

2A60000

heap

page execute and read and write

6668000

trusted library allocation

page read and write

5060000

heap

page read and write

D0A000

trusted library allocation

page execute and read and write

3262000

trusted library allocation

page read and write

5036000

trusted library allocation

page read and write

D54000

heap

page read and write

4FF0000

heap

page execute and read and write

6D90000

heap

page read and write

178E000

stack

page read and write

6B60000

trusted library allocation

page read and write

25A0000

heap

page execute and read and write

5180000

heap

page execute and read and write

C5E000

stack

page read and write

52CC000

stack

page read and write

CED000

trusted library allocation

page execute and read and write

92E000

stack

page read and write

434000

remote allocation

page execute and read and write

There are 376 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Leoch-Purchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLeoch-Purchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Leoch-Purchase Order.exe