Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7000
Target ID:	0
Parent PID:	2880
Name:	pago del 20.01.2022.PDF______________________________________.exe
Path:	C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	218216
MD5:	4A3D98A8485779447C637CAF1CCAD892
Time:	09:59:06
Date:	23/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	217088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Initial sample is a PE file and has a suspicious name	System Summary
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	760
Target ID:	11
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:30
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4000
Target ID:	12
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:31
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x80000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6884
Target ID:	13
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:32
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6852
Target ID:	14
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:32
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6872
Target ID:	15
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:33
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x630000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6840
Target ID:	16
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:34
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x540000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6828
Target ID:	17
Parent PID:	7000
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe"
Size:	107624
MD5:	F866FC1C2E928779C7119353C3091F0C
Time:	09:59:35
Date:	23/01/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6968
Target ID:	18
Parent PID:	6828
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	09:59:36
Date:	23/01/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f20f0000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://doc-00-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t5k36709iuadumo1ammtf5pl877g3aab/1642928325000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download

216.58.198.33

http://mglNPC.com

unknown

http://127.0.0.1:HTTP/1.1

unknown

http://DynDns.comDynDNS

unknown

https://doc-00-6k-docs.googleusercontent.com/d

unknown

https://drive.google.com/h

unknown

https://doc-00-6k-docs.googleusercontent.com/icrosoft

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

https://doc-00-6k-docs.googleusercontent.com/

unknown

https://doc-00-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t5k36709

unknown

https://drive.google.com/

unknown

https://csp.withgoogle.com/csp/report-to/gse_l9ocaq

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

drive.google.com

216.58.205.78

Details

Name:	drive.google.com
IP:	216.58.205.78
TargetID:	17
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

216.58.198.33

doc-00-6k-docs.googleusercontent.com

unknown

Details

Name:	doc-00-6k-docs.googleusercontent.com
TargetID:	17
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

216.58.198.33

googlehosted.l.googleusercontent.com

United States

Details

IP:	216.58.198.33
TargetID:	17
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

216.58.205.78

drive.google.com

United States

Details

IP:	216.58.205.78
TargetID:	17
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

11B0000

unkown

page execute and read and write

1E151000

unkown

page read and write

26944C3F000

unkown

page read and write

7F662000

unkown image

page readonly

7FF5A7C7A000

unkown image

page readonly

100000

unkown image

page readonly

6BA000

heap default

page read and write

1E120000

unkown

page read and write

7DF587C00000

unkown image

page readonly

1150000

unkown

page read and write

160000

unkown image

page readonly

62F2C77000

stack

page read and write

12657DBE000

unkown

page read and write

530000

unkown image

page readonly

7DF56CA62000

unkown image

page readonly

7FF5620C7000

unkown image

page readonly

12657D88000

unkown

page read and write

7DF5C0170000

unkown image

page readonly

1FA6A590000

unkown image

page readonly

7DF5A1720000

unkown image

page readonly

20790000

unkown

page read and write

7FC30000

unkown image

page readonly

7FF5A7BB0000

unkown image

page readonly

7FF561F2F000

unkown image

page readonly

A00000

unkown

page read and write

7FF5B2327000

unkown image

page readonly

1265744A000

unkown

page read and write

7FF579F62000

unkown image

page readonly

232957C0000

unkown image

page readonly

20415000

unkown

page read and write

12657D8E000

unkown

page read and write

20403690000

unkown image

page readonly

2AA0000

unkown

page read and write

7FB72000

unkown image

page readonly

1D171000

unkown

page read and write

7DF512FE0000

unkown image

page readonly

411000

unkown image

page execute read

24B2B849000

unkown

page read and write

E83E8FB000

stack

page read and write

23FF3ED0000

unkown image

page readonly

1150000

unkown

page read and write

100000

unkown image

page readonly

24B2B87B000

unkown

page read and write

12658203000

unkown

page read and write

23FF4049000

unkown

page read and write

7DF587C02000

unkown image

page readonly

7FC20000

unkown image

page readonly

7FF55ED43000

unkown image

page readonly

2130E84F000

unkown

page read and write

2132622A000

unkown

page read and write

7FF50522F000

unkown image

page readonly

7FF593C4C000

unkown image

page readonly

680000

unkown image

page readonly

1E1FA000

unkown

page read and write

1D171000

unkown

page read and write

12658202000

unkown

page read and write

7FF593BCB000

unkown image

page readonly

12657D83000

unkown

page read and write

7FF5050C6000

unkown image

page readonly

12657BB0000

unkown

page read and write

12657453000

unkown

page read and write

7F320000

unkown image

page readonly

2130E5E0000

unkown image

page readonly

1D91E000

stack

page read and write

1D171000

unkown

page read and write

208F0000

unkown

page read and write

7FF596A3B000

unkown image

page readonly

204A0000

unkown

page read and write

E80F7B000

stack

page read and write

1020000

unkown image

page readonly

16DC000

unkown

page read and write

7FF5DFDA5000

unkown image

page readonly

7F420000

unkown image

page readonly

1450000

heap default

page read and write

26DE37F000

stack

page read and write

1DA9E000

stack

page read and write

20403800000

unkown

page read and write

12657330000

heap private

page read and write

14F07002000

unkown

page read and write

1D171000

unkown

page read and write

126573A0000

unkown image

page readonly

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Memdumps