Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

Details

Is windows:	true
Is dropped:	false
PID:	7020
Target ID:	0
Parent PID:	3548
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:17:16
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,2990256087952315808,2795152919663852828,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	6164
Target ID:	1
Parent PID:	7020
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,2990256087952315808,2795152919663852828,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:17:16
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7140
Target ID:	12
Parent PID:	804
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	19:17:42
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b9240000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5484
Target ID:	16
Parent PID:	4380
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:18:46
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

Details

Is windows:	true
Is dropped:	false
PID:	5404
Target ID:	17
Parent PID:	5484
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,10422334157882643257,4372687792267405033,262144 /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:18:47
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

https://kra.ndml.in/kra-web/MailClose.jsp

59.163.48.94

https://developers.google.com/recaptcha/docs/faq#localhost_support

unknown

https://support.google.com/recaptcha#6262736

unknown

https://kra.ndml.in/kra-web/themes/layout.css

59.163.48.94

https://cloud.google.com/recaptcha-enterprise/billing-information

unknown

http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

59.163.48.94

http://jqueryui.com

unknown

https://recaptcha.net

unknown

https://www.apache.org/licenses/

unknown

https://www.google.com/async/newtab_promos

142.250.217.196

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGPrDr7EGIjA51nBO0ouJB96IkrPObbeH40esAxTUWJYDSH_tpPv7r8GIlnQ1bntE4rLxvVsQBtUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.250.217.196

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.217.196

https://support.google.com/recaptcha/?hl=en#6223828

unknown

https://www.google.com/favicon.ico

142.250.217.196

https://cloud.google.com/contact

unknown

https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.250.217.196

https://www.google.com/search?q=nyt+connections+hints+april+26&oq=&gs_lcrp=EgZjaHJvbWUqDggCEAAYAxhCGI8BGOoCMgwIABAuGAMYjwEY6gIyDggBEAAYAxhCGI8BGOoCMg4IAhAAGAMYQhiPARjqAjIOCAMQABgDGEIYjwEY6gIyDggEEAAYAxhCGI8BGOoCMg4IBRAAGAMYQhiPARjqAjIOCAYQABgDGEIYjwEY6gIyDggHEAAYAxhCGI8BGOoC0gEKMjEzMDE2ajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8

142.250.217.196

https://play.google.com/log?format=json&hasfast=true

unknown

https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dnyt%2Bconnections%2Bhints%2Bapril%2B26%26oq%3D%26gs_lcrp%3DEgZjaHJvbWUqDggCEAAYAxhCGI8BGOoCMgwIABAuGAMYjwEY6gIyDggBEAAYAxhCGI8BGOoCMg4IAhAAGAMYQhiPARjqAjIOCAMQABgDGEIYjwEY6gIyDggEEAAYAxhCGI8BGOoCMg4IBRAAGAMYQhiPARjqAjIOCAYQABgDGEIYjwEY6gIyDggHEAAYAxhCGI8BGOoC0gEKMjEzMDE2ajBqN6gCCLACAQ%26sourceid%3Dchrome%26ie%3DUTF-8&q=EgRmgZjcGILEr7EGIjDYWZjKno5JvCWZFz_8l_wfRjhUucocyKy4RSU_MxZIiCKq2ngkq1Rr5-2EKs1dAfoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.250.217.196

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.217.196

https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca

unknown

https://www.google.com/recaptcha/api.js

142.250.217.196

https://support.google.com/recaptcha/#6175971

unknown

https://www.gstatic.c..?/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__.

unknown

https://kra.ndml.in/kra-web/javascripts/jquery-ui.min.js

59.163.48.94

https://www.google.com/recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b

142.250.217.196

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGPnDr7EGIjBmzD6XKne16sxc7aHb3W-_JuZBXg9GdeRJ5dqb22OPbS63K98czF4n9otYLEAd3dAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.250.217.196

https://kra.ndml.in/kra-web/javascripts/jquery.min.js

59.163.48.94

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.217.196

https://www.google.com/recaptcha/api2/

unknown

https://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

59.163.48.94

https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m

142.250.217.196

https://www.google.com/js/bg/lkTXq49YG5_ej1w7m4T9Nw_1Lx1Ocd1gteWQpsfV_Tk.js

142.250.217.196

https://support.google.com/recaptcha

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

kra.ndml.in

59.163.48.94

Details

Name:	kra.ndml.in
IP:	59.163.48.94
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.250.217.228

Details

Name:	www.google.com
IP:	142.250.217.228
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.168.2.16

unknown

142.250.217.228

www.google.com

United States

59.163.48.94

kra.ndml.in

India

142.250.217.196

unknown

United States

239.255.255.250

unknown

Reserved

Memdumps

Base Address

Regiontype

Protect

Malicious

9FCE35E000

stack

page read and write

246502F8000

heap

page read and write

9FCE2DC000

stack

page read and write

9FCE67F000

stack

page read and write

246502F0000

heap

page read and write

246504D0000

heap

page read and write

24650510000

heap

page read and write

24650500000

heap

page read and write

246503F0000

heap

page read and write

24651E70000

heap

page read and write

24650505000

heap

page read and write

9FCE3DE000

stack

page read and write

There are 2 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttp://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
http://kra.ndml.in/kra-web/Mail/ENEDpDME_ddRnXxVc50cpgYEG3w8mclx4APm6ShyCOrrvM6hBqc3-5vCvQN-X5XN/Pbpp1LlByBKEzvjWvaUdYAoxoxNWtNmpdPLEflzCf0nTwIx6mcECpQ==/PhKsGuPve2w=