Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9898884008750817
Encrypted:	false
Size:	2673
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.006694574891017
Encrypted:	false
Size:	2675
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.011954377322807
Encrypted:	false
Size:	2689
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.004113683526723
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.991822423377786
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 17 14:57:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.004149879932813
Encrypted:	false
Size:	2679
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

URLs

Name

Malicious

http://msn.com

Details

Filetype:	URL
Filename:	http://msn.com

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing	Extra Window Memory Injection
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the user directory	System Summary	Masquerading
Downloads files from webservers via HTTP	Networking	Extra Window Memory Injection Ingress Tool Transfer
HTML page is missing a favicon	Phishing	Extra Window Memory Injection
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://www.msn.com/

http://msn.com/

204.79.197.219

Details

Name:	http://msn.com/
IP:	204.79.197.219
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

about:blank

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d7b530a4-7680-4c23-a8bf-c52c121d2e87&scope=User.Read%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Fwww.msn.com%2Fstaticsb%2Fstatics%2Flatest%2Fauth%2Fauth-redirect-blank.html&client-request-id=4362c772-8af9-495c-a64f-3fa3e8ba5c49&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.18.0&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=MsPL_NyeFGkcHRF84viDBMtgFCgBjac05sxOU-5fIVw&code_challenge_method=S256&prompt=none&nonce=26820882-70a0-4e61-9463-0baa3817ce36&state=eyJpZCI6Ijk3Y2ZmOWM4LTIzYTgtNGU4MC1iNmU1LWM1OTUzMjI0Y2NlMSIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19

Details

Name:	https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d7b530a4-7680-4c23-a8bf-c52c121d2e87&scope=User.Read%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Fwww.msn.com%2Fstaticsb%2Fstatics%2Flatest%2Fauth%2Fauth-redirect-blank.html&client-request-id=4362c772-8af9-495c-a64f-3fa3e8ba5c49&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.18.0&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=MsPL_NyeFGkcHRF84viDBMtgFCgBjac05sxOU-5fIVw&code_challenge_method=S256&prompt=none&nonce=26820882-70a0-4e61-9463-0baa3817ce36&state=eyJpZCI6Ijk3Y2ZmOWM4LTIzYTgtNGU4MC1iNmU1LWM1OTUzMjI0Y2NlMSIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://tsdtocl.com/

Domains

Name

Malicious

s-part-0044.t-0009.fb-t-msedge.net

13.107.253.72

tls13.taboola.map.fastly.net

151.101.129.44

cm.mgid.com

104.19.129.76

api.btloader.com

130.211.23.194

hbx.media.net

23.212.88.20

eu-eb2.3lift.com

76.223.111.18

tsdtocl.com

151.101.1.44

ds-pr-bh.ybp.gysm.yahoodns.net

54.246.18.125

sync.im-apps.net

2.19.97.35

sni1gl.wpc.omegacdn.net

152.199.21.175

www.google.com

142.250.186.164

chidc2.outbrain.org

50.31.142.159

nydc1.outbrain.org

64.202.112.63

ad.doubleclick.net

172.217.16.198

s-part-0017.t-0009.t-msedge.net

13.107.246.45

s-part-0017.t-0009.fb-t-msedge.net

13.107.253.45

lb-sin.mgid.com

172.241.51.69

trace.popin.cc

35.213.89.133

trace.mediago.io

35.208.249.213

ad-delivery.net

104.26.3.70

msn.com

204.79.197.219

sb.scorecardresearch.com

18.239.83.98

prod.appnexus.map.fastly.net

151.101.65.108

btloader.com

104.22.74.216

m.anycast.adnxs.com

185.89.210.20

visitor-fra02.omnitagjs.com

185.255.84.152

ib.anycast.adnxs.com

37.252.173.215

js.monitor.azure.com

unknown

api.taboola.com

unknown

sync.inmobi.com

unknown

c.msn.com

unknown

srtb.msn.com

unknown

deff.nelreports.net

unknown

sync.outbrain.com

unknown

browser.events.data.msn.com

unknown

visitor.omnitagjs.com

unknown

pr-bh.ybp.yahoo.com

unknown

assets.msn.com

unknown

code.yengo.com

unknown

www.msn.com

unknown

acdn.adnxs.com

unknown

aadcdn.msftauth.net

unknown

px.ads.linkedin.com

unknown

m.adnxs.com

unknown

confiant.msn.com

unknown

mem.gfx.ms

unknown

cdn.taboola.com

unknown

ib.adnxs.com

unknown

api.msn.com

unknown

eb2.3lift.com

unknown

There are 41 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

2.18.64.224

unknown

European Union

37.252.171.149

unknown

European Union

13.107.246.45

s-part-0017.t-0009.t-msedge.net

United States

54.229.168.32

unknown

United States

20.190.159.64

unknown

United States

130.211.23.194

api.btloader.com

United States

2.19.97.35

sync.im-apps.net

European Union

20.199.58.43

unknown

United States

2.23.209.181

unknown

European Union

68.219.88.97

unknown

United States

185.89.210.20

m.anycast.adnxs.com

Germany

20.50.80.209

unknown

United States

2.23.209.185

unknown

European Union

2.23.209.140

unknown

European Union

172.217.16.142

unknown

United States

204.79.197.237

unknown

United States

23.212.88.19

unknown

United States

2.23.209.187

unknown

European Union

151.101.193.44

unknown

United States

142.250.186.35

unknown

United States

142.250.186.78

unknown

United States

1.1.1.1

unknown

Australia

20.74.47.205

unknown

United States

2.23.209.45

unknown

European Union

13.107.21.237

unknown

United States

54.246.18.125

ds-pr-bh.ybp.gysm.yahoodns.net

United States

74.125.133.84

unknown

United States

35.213.89.133

trace.popin.cc

United States

151.101.1.44

tsdtocl.com

United States

13.107.42.14

unknown

United States

239.255.255.250

unknown

Reserved

20.190.160.22

unknown

United States

23.212.88.20

hbx.media.net

United States

152.199.21.175

sni1gl.wpc.omegacdn.net

United States

2.18.64.219

unknown

European Union

2.18.64.218

unknown

European Union

172.217.16.198

ad.doubleclick.net

United States

104.19.129.76

cm.mgid.com

United States

2.18.64.214

unknown

European Union

104.26.3.70

ad-delivery.net

United States

2.23.209.12

unknown

European Union

185.255.84.152

visitor-fra02.omnitagjs.com

France

185.255.84.153

unknown

France

37.252.173.215

ib.anycast.adnxs.com

European Union

192.168.2.16

unknown

20.42.72.131

unknown

United States

20.189.173.11

unknown

United States

2.16.164.88

unknown

European Union

95.101.111.136

unknown

European Union

142.250.186.131

unknown

United States

204.79.197.219

msn.com

United States

35.208.249.213

trace.mediago.io

United States

2.19.96.88

unknown

European Union

142.250.186.134

unknown

United States

20.42.73.25

unknown

United States

2.18.64.205

unknown

European Union

2.18.64.203

unknown

European Union

76.223.111.18

eu-eb2.3lift.com

United States

50.31.142.159

chidc2.outbrain.org

United States

2.23.209.21

unknown

European Union

23.15.178.217

unknown

United States

151.101.65.108

prod.appnexus.map.fastly.net

United States

13.107.253.45

s-part-0017.t-0009.fb-t-msedge.net

United States

20.253.0.30

unknown

United States

2.19.126.136

unknown

European Union

151.101.129.44

tls13.taboola.map.fastly.net

United States

2.16.164.16

unknown

European Union

104.22.74.216

btloader.com

United States

18.239.83.98

sb.scorecardresearch.com

United States

142.250.186.164

www.google.com

United States

104.124.11.146

unknown

United States

2.23.209.130

unknown

European Union

172.241.51.68

unknown

Netherlands

172.241.51.69

lb-sin.mgid.com

Netherlands

64.202.112.63

nydc1.outbrain.org

United States

204.79.197.203

unknown

United States

2.23.209.133

unknown

European Union

There are 67 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
http://msn.com

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttp://msn.com

Files

URLs

Domains

IPs

IOC Report
http://msn.com