Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

https://plateflippers.com/OH2/GG8/

URL

initial url

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\GG8[1].htm

HTML document, ASCII text, with very long lines, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B49B7543-7DC0-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B49B7545-7DC0-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BAAB9089-7DC0-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Othermail[1].htm

HTML document, ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bootstrap.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bootstrap.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\css[1].css

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\font-awesome.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fontawesome-webfont[1].eot

Embedded OpenType (EOT), FontAwesome family

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mail[1].png

PNG image data, 100 x 87, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mem5YaGs126MiZpBA-UN_r8OUuhv[1].woff

Web Open Font Format, TrueType, length 18668, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\memnYaGs126MiZpBA-UFUKW-U9hrIqU[1].woff

Web Open Font Format, TrueType, length 17788, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Onedrive-logo[1].png

PNG image data, 170 x 114, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Outlook[1].htm

HTML document, UTF-8 Unicode text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\jquery-3.1.1.slim.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mem5YaGs126MiZpBA-UN7rgOUuhv[1].woff

Web Open Font Format, TrueType, length 18900, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mem5YaGs126MiZpBA-UN8rsOUuhv[1].woff

Web Open Font Format, TrueType, length 19072, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mem5YaGs126MiZpBA-UNirkOUuhv[1].woff

Web Open Font Format, TrueType, length 18696, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mem8YaGs126MiZpBA-UFVZ0d[1].woff

Web Open Font Format, TrueType, length 18100, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\tether.min[1].js

ASCII text, with very long lines, with no line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Office365[1].htm

HTML document, ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\css[1].css

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\landing-devices-bg[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1200x800, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\memnYaGs126MiZpBA-UFUKWiUNhrIqU[1].woff

Web Open Font Format, TrueType, length 17452, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\microbg[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1920x1080, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\microsoftlogo[1].png

PNG image data, 115 x 26, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\office[1].png

PNG image data, 512 x 512, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\outlook[1].png

PNG image data, 213 x 211, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\webmaillogo[1].png

PNG image data, 322 x 50, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\bootstrap.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\bootstrap.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\css[1].css

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\mem6YaGs126MiZpBA-UFUK0Zdcs[1].woff

Web Open Font Format, TrueType, length 17440, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\memnYaGs126MiZpBA-UFUKWyV9hrIqU[1].woff

Web Open Font Format, TrueType, length 17668, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\memnYaGs126MiZpBA-UFUKXGUdhrIqU[1].woff

Web Open Font Format, TrueType, length 17492, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\officebg[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1420x1080, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\officelogo[1].png

PNG image data, 163 x 75, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\style[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Temp\~DF2B39EDCB32CC438A.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF8ADC395168C1F92B.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DFE69385337526499A.TMP

data

dropped

There are 33 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\internet explorer\iexplore.exe

'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	6904
Target ID:	1
Parent PID:	800
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\internet explorer\iexplore.exe
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Size:	823560
MD5:	6465CB92B25A7BC1DF8E01D8AC5E7596
Time:	15:40:18
Date:	05/03/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff778860000
Modulesize:	831488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6904 CREDAT:17410 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	6960
Target ID:	2
Parent PID:	6904
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6904 CREDAT:17410 /prefetch:2
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	15:40:19
Date:	05/03/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1140000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://plateflippers.com/OH2/GG8/Root

unknown

https://plateflippers.com/OH2/GG8/f

unknown

https://plateflippers.com/OH2/GG8/Office365.php

https://plateflippers.com/OH2/GG8/Outlook.php

https://plateflippers.com/OH2/GG8/Outlook.phpp2/GG8/Office365.php

unknown

https://plateflippers.com/OH2/GG8/Othermail.php

unknown

https://plateflippers.com/OH2/GG8/Outlook.phpBSign

unknown

https://plateflippers.com/OH2/GG8/

unknown

https://plateflippers.com/OH2/GG8/Othermail.php

https://plateflippers.com/OH2/GG8/Office365.php

unknown

https://plateflippers.com/OH2/GG8/Outlook.php

unknown

https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/css/bootstrap.min.css

unknown

http://fontawesome.io

unknown

http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens

unknown

https://signup.live.com

unknown

http://fontawesome.io/license

unknown

http://fontawesome.io/license/

unknown

https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css

unknown

https://code.jquery.com/jquery-3.1.1.slim.min.js

unknown

https://github.com/twbs/bootstrap/graphs/contributors)

unknown

https://cdnjs.cloudflare.com/ajax/libs/tether/1.4.0/js/tether.min.js

unknown

https://getbootstrap.com)

unknown

https://github.com/twbs/bootstrap/blob/master/LICENSE)

unknown

https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.6/js/bootstrap.min.js

unknown

There are 15 hidden URLs, click here to show them.

Domains

Name

Malicious

plateflippers.com

162.241.127.18

Details

Name:	plateflippers.com
IP:	162.241.127.18
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

cdnjs.cloudflare.com

104.16.19.94

Details

Name:	cdnjs.cloudflare.com
IP:	104.16.19.94
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

maxcdn.bootstrapcdn.com

104.18.10.207

Details

Name:	maxcdn.bootstrapcdn.com
IP:	104.18.10.207
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

code.jquery.com

unknown

IPs

Domain

Country

Active

Malicious

104.18.10.207

maxcdn.bootstrapcdn.com

United States

unknown

Details

IP:	104.18.10.207
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	maxcdn.bootstrapcdn.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.16.19.94

cdnjs.cloudflare.com

United States

unknown

Details

IP:	104.16.19.94
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	cdnjs.cloudflare.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

162.241.127.18

plateflippers.com

United States

unknown

Details

IP:	162.241.127.18
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	plateflippers.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\internet explorer\iexplore.exe

{B49B7543-7DC0-11EB-90EB-ECF4BBEA1588}

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

DecayDateQueue

C:\Program Files\internet explorer\iexplore.exe

LastProcessed

C:\Program Files\internet explorer\iexplore.exe

DecayDateQueue

C:\Program Files\internet explorer\iexplore.exe

LastProcessed

C:\Program Files\internet explorer\iexplore.exe

DecayDateQueue

C:\Program Files\internet explorer\iexplore.exe

LastProcessed

C:\Program Files\internet explorer\iexplore.exe

CVListPingLastYMD

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-912

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-904

There are 18 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

ECBE277000

unkown

page read and write

7FF589121000

unkown

page readonly

7FF52B672000

unkown

page readonly

2376DA4F000

unkown

page read and write

20B8843C000

unkown

page read and write

7FF589763000

unkown

page readonly

7FF52B47B000

unkown

page readonly

ECBE47F000

unkown

page read and write

DB1BAFB000

unkown

page read and write

7FF52B423000

unkown

page readonly

DB1B57C000

unkown

page read and write

7FF5898AC000

unkown

page readonly

7FF589813000

unkown

page readonly

DB1B87E000

unkown

page read and write

7FF52B4EC000

unkown

page readonly

7FF52B300000

unkown

page readonly

20B88502000

unkown

page read and write

2376DB13000

unkown

page read and write

2376DA52000

unkown

page read and write

2376D900000

unkown

page readonly

7FF589936000

unkown

page readonly

7FF52B4CD000

unkown

page readonly

ECBE37F000

unkown

page read and write

7FF52B580000

unkown

page readonly

7FF58992E000

unkown

page readonly

7FF589928000

unkown

page readonly

2376DA00000

unkown

page read and write

2376DA8B000

unkown

page read and write

20B882C0000

unkown

page readonly

7FF52B461000

unkown

page readonly

20B88508000

unkown

page read and write

20B88C02000

unkown

page read and write

ECBE07E000

unkown

page read and write

2376E202000

unkown

page read and write

DB1B975000

unkown

page read and write

7FF52B664000

unkown

page readonly

ECBDFF5000

unkown

page read and write

7FF52B5DF000

unkown

page readonly

7FF52B5AF000

unkown

page readonly

20B883B0000

unkown

page read and write

20B88600000

unkown

page readonly

ECBDE7E000

unkown

page read and write

7FF52B5B7000

unkown

page readonly

7FF58991F000

unkown

page readonly

7FF52B57E000

unkown

page readonly

7FF52B597000

unkown

page readonly

7FF52B57A000

unkown

page readonly

7FF52B4D3000

unkown

page readonly

2376DA13000

unkown

page read and write

7FF5898EC000

unkown

page readonly

7FF52B5D4000

unkown

page readonly

7FF52B5AC000

unkown

page readonly

20B8842A000

unkown

page read and write

7FF52B5FD000

unkown

page readonly

2376E0A0000

unkown

page readonly

2376DA4E000

unkown

page read and write

2376D9D0000

unkown

page readonly

2376DA46000

unkown

page read and write

ECBE17B000

unkown

page read and write

ECBDBAB000

unkown

page read and write

20B8844F000

unkown

page read and write

7FF589904000

unkown

page readonly

2376DA70000

unkown

page read and write

7FF5898F7000

unkown

page readonly

2376D9F0000

unkown

page read and write

7FF5898BA000

unkown

page readonly

7FF52B671000

unkown

page readonly

2376D8F0000

heap default

page read and write

7FF52B47E000

unkown

page readonly

DB1B9FE000

unkown

page read and write

7FF58982C000

unkown

page readonly

20B88E00000

unkown

page readonly

7FF52B4E4000

unkown

page readonly

7FF589914000

unkown

page readonly

7FF52B5E8000

unkown

page readonly

7FF5898BE000

unkown

page readonly

7FF5897BE000

unkown

page readonly

7FF52AC4C000

unkown

page readonly

7FF5899B2000

unkown

page readonly

20B88455000

unkown

page read and write

7FF5899B1000

unkown

page readonly

2376DC00000

unkown

page readonly

7FF52AC46000

unkown

page readonly

20B882B0000

heap default

page read and write

7FF5898EF000

unkown

page readonly

7FF52B66A000

unkown

page readonly

20B88500000

unkown

page read and write

7FF589637000

unkown

page readonly

20B88250000

heap private

page read and write

20B8847C000

unkown

page read and write

20B8846E000

unkown

page read and write

2376DB02000

unkown

page read and write

2376DA22000

unkown

page read and write

20B88513000

unkown

page read and write

7FF52B5EE000

unkown

page readonly

7FF52B5F6000

unkown

page readonly

7FF52B56A000

unkown

page readonly

7FF5899AA000

unkown

page readonly

2376DA4B000

unkown

page read and write

7FF52B5F9000

unkown

page readonly

DB1BBFD000

unkown

page read and write

7FF58993D000

unkown

page readonly

2376DA55000

unkown

page read and write

2376DA7E000

unkown

page read and write

7FF52B58B000

unkown

page readonly

7FF589824000

unkown

page readonly

2376DA2A000

unkown

page read and write

7FF52B2F7000

unkown

page readonly

DB1BEFF000

unkown

page read and write

DB1B5FE000

unkown

page read and write

7FF5898C5000

unkown

page readonly

2376D9E0000

unkown

page readonly

20B88402000

unkown

page read and write

DB1BDFF000

unkown

page read and write

7FF52B146000

unkown

page readonly

7FF52B155000

unkown

page readonly

7FF58990A000

unkown

page readonly

7FF5898D7000

unkown

page readonly

2376E400000

unkown

page readonly

7FF5898CB000

unkown

page readonly

20B883A0000

unkown

page readonly

7FF589495000

unkown

page readonly

7FF588F8C000

unkown

page readonly

7FF52B56C000

unkown

page readonly

7FF589486000

unkown

page readonly

2376DA3C000

unkown

page read and write

7FF5898AA000

unkown

page readonly

7FF5897BB000

unkown

page readonly

7FF589711000

unkown

page readonly

7FF52B585000

unkown

page readonly

7FF5898C0000

unkown

page readonly

2376DB00000

unkown

page read and write

2376DB08000

unkown

page read and write

7FF52B3D1000

unkown

page readonly

20B88483000

unkown

page read and write

7FF52B140000

unkown

page readonly

7FF5899A4000

unkown

page readonly

DB1BCF7000

unkown

page read and write

7FF589480000

unkown

page readonly

20B88400000

unkown

page read and write

20B88390000

unkown

page readonly

2376D890000

heap private

page read and write

7FF52B5CA000

unkown

page readonly

7FF5897A1000

unkown

page readonly

7FF589939000

unkown

page readonly

20B88413000

unkown

page read and write

ECBDEFE000

unkown

page read and write

20B88A60000

unkown

page readonly

7FF52B5C4000

unkown

page readonly

7FF58980D000

unkown

page readonly

2376DA8D000

unkown

page read and write

There are 141 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

https://plateflippers.com/OH2/GG8/

Details

Filename:	849224.pages.html.dom
Url:	https://plateflippers.com/OH2/GG8/
Target ID:	2
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6904 CREDAT:17410 /prefetch:2

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish_7	Phishing

https://plateflippers.com/OH2/GG8/Outlook.php

https://plateflippers.com/OH2/GG8/Othermail.php

https://plateflippers.com/OH2/GG8/Office365.php

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML