Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9945306998625756
Encrypted:	false
Size:	2673
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.008036274377051
Encrypted:	false
Size:	2675
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.012603221059007
Encrypted:	false
Size:	2689
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.003174554044556
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9964890226039436
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 16:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.003374761763327
Encrypted:	false
Size:	2679
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

URLs

Name

Malicious

https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=wkoford%40flcu.org&senderemailaddress=vbabilon%40topcu.org&senderorganization=AwF8AAAAAngAAAADAQAAAFLiNAy%2bMHBMrgNoa1JLv8RPVT1UT1BDVS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMThBMDAyLERDPVBST0QsREM9T1VUTE9PSyxEQz1DT01sjiYyYH6GR6%2fdBA%2boFpViQ049Q29uZmlndXJhdGlvbixDTj1UT1BDVS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMThBMDAyLERDPVBST0QsREM9T1VUTE9PSyxEQz1DT00B&messageid=%3cMW4PR14MB4620C13FE273646CED49EBC8D4162%40MW4PR14MB4620.namprd14.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b0AF09B7F-434F-4B2F-9CBC-57639EDCFD9C%7d%40TOPCU.onmicrosoft.com&consumerEncryption=false&senderorgid=87e347d3-c643-4789-ba6c-8496a3e9464a&urldecoded=1&e4e_sdata=UH6JXHxXjFqJr5ORbGi72iSocwvY3FBjFZqp%2bQDyMTjkxp3YIoFlz3uiyzRfZo%2fxNm0e2ZVghWANURzMCv4Up2GEkpWJ2X4V8vS3l0DLsTmNDP5%2fc31Mi4HBt23CV8U1KFqt8HzeT3P9SXWGVndRL%2ffYLSvlQ9NIUVoO9Cw%2bWMN71nPxHKF01itEy7MDRN7cmuPlUvyMl6O3WmcG1Tr%2bkAyrywDYm73p2NSXUx%2f3TZmh%2fu4xb3kCzn%2bwnvhuwS8mITrZqbABMKmBBdbIUyFTOhhhrtqwtoAX3qqTyKoiy0n6wpeyH8jbxYuR%2f70SwXPiBTxQTAuZ8gMIJBCHcrH2fQ%3d%3d

Details

Filetype:

URL

Filename:

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://outlook.office365.com/Encryption/OTPSigninPage.aspx?itemID=E4E_M_8a92a92e-d8f9-4abf-875e-edcc54bd039c&OTPMessageId=83e8ad36-f9fd-404d-ae13-866f4decba73%40SJ0PR18MB5056.namprd18.prod.outlook.com&OTPReferenceId=6266

Details

Name:	https://outlook.office365.com/Encryption/OTPSigninPage.aspx?itemID=E4E_M_8a92a92e-d8f9-4abf-875e-edcc54bd039c&OTPMessageId=83e8ad36-f9fd-404d-ae13-866f4decba73%40SJ0PR18MB5056.namprd18.prod.outlook.com&OTPReferenceId=6266
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

Domains

Name

Malicious

www.google.com

142.250.64.196

Details

Name:	www.google.com
IP:	142.250.64.196
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

LYH-efz.ms-acdc.office.com

52.96.119.82

static2.sharepointonline.com

unknown

r1.res.office365.com

unknown

ajax.aspnetcdn.com

unknown

outlook.office365.com

unknown

Details

Name:	outlook.office365.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

23.194.239.166

unknown

United States

192.178.50.78

unknown

United States

1.1.1.1

unknown

Australia

142.251.107.84

unknown

United States

52.96.119.82

LYH-efz.ms-acdc.office.com

United States

152.199.4.33

unknown

United States

192.168.2.16

unknown

142.250.217.206

unknown

United States

192.168.2.4

unknown

23.43.173.5

unknown

United States

142.250.64.196

www.google.com

United States

239.255.255.250

unknown

Reserved

172.217.165.195

unknown

United States

40.97.230.178

unknown

United States

142.250.217.234

unknown

United States

142.250.217.195

unknown

United States

52.96.172.114

unknown

United States

There are 7 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Files

URLs

Domains

IPs