Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

http://3c4e7b.zgmwgzfzdwxnrfq.com

URL

initial url

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A846DAC-D3C0-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A846DAE-D3C0-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A846DAF-D3C0-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\XjWJv9LQfx407iOuFqfg52ImSSTEQJORsxDRpBL3wWM[1].js

ASCII text, with very long lines, with no line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ads[1].htm

HTML document, UTF-8 Unicode text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\css[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\pxiByp8kv8JHgFVrLDz8Z1xlEw[1].woff

Web Open Font Format, TrueType, length 10504, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\caf[1].js

ASCII text, with very long lines

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\css[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\js3caf[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\search[1].svg

SVG Scalable Vector Graphics image

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\style[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\style[2].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\chevron[1].svg

SVG Scalable Vector Graphics image

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\css[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\webfont[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\-nF8OGQ1-uoVr2wK-iLT8A[1].woff

Web Open Font Format, TrueType, length 12396, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\C4004G0V.htm

HTML document, ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\arrows[1].png

PNG image data, 1500 x 600, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\caf[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pxiEyp8kv8JHgFVrJJfedA[1].woff

Web Open Font Format, TrueType, length 10536, version 1.1

downloaded

C:\Users\user\AppData\Local\Temp\~DF0EAA380694CF522F.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF69E7BBDB605ADC19.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF72E20344339451D6.TMP

data

dropped

There are 15 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\internet explorer\iexplore.exe

'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	4580
Target ID:	1
Parent PID:	792
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\internet explorer\iexplore.exe
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Size:	823560
MD5:	6465CB92B25A7BC1DF8E01D8AC5E7596
Time:	18:15:48
Date:	22/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff628c90000
Modulesize:	831488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	5436
Target ID:	2
Parent PID:	4580
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	18:15:49
Date:	22/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x260000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://pr.cremationservicesnewusanet.com/%253Fbackfill%253D0%2526KW1%253DCremation%252BCost%2526KW2

unknown

Details

Name:	https://pr.cremationservicesnewusanet.com/%253Fbackfill%253D0%2526KW1%253DCremation%252BCost%2526KW2
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	ads[1].htm.2.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.apache.org/licenses/LICENSE-2.0

unknown

Details

Name:	http://www.apache.org/licenses/LICENSE-2.0
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	webfont[1].js.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://pr.cremationservicesnewusanet.com/?backfill=0&KW1=Cremation

unknown

https://use.typekit.net

unknown

Details

Name:	https://use.typekit.net
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	webfont[1].js.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://parking-crew.com/track.

unknown

Details

Name:	https://parking-crew.com/track.
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	C4004G0V.htm.2.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://3c4e7b.zgmwgzfzdwxnrfq.com/

13.224.193.70

http://parkingcrew.net/assets

unknown

Details

Name:	http://parkingcrew.net/assets
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	C4004G0V.htm.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://attestation.android.com

unknown

Details

Name:	https://attestation.android.com
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source:	caf[1].js0.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

dk8g5exin21my.cloudfront.net

13.224.193.70

pr.cremationservicesnewusanet.com

185.53.179.91

Details

Name:	pr.cremationservicesnewusanet.com
IP:	185.53.179.91
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

d1lxhc4jvstzrp.cloudfront.net

13.224.194.160

Details

Name:	d1lxhc4jvstzrp.cloudfront.net
IP:	13.224.194.160
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

216.58.212.161

Details

Name:	googlehosted.l.googleusercontent.com
IP:	216.58.212.161
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

afs.googleusercontent.com

unknown

3c4e7b.zgmwgzfzdwxnrfq.com

unknown

Details

Name:	3c4e7b.zgmwgzfzdwxnrfq.com
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

13.224.194.160

d1lxhc4jvstzrp.cloudfront.net

United States

Details

IP:	13.224.194.160
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	d1lxhc4jvstzrp.cloudfront.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

185.53.179.91

pr.cremationservicesnewusanet.com

Germany

Details

IP:	185.53.179.91
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	Germany
Countrycode:	DEU
ASN number:	61969
ASN name:	TEAMINTERNET-ASDE
Private:	false
Domain:	pr.cremationservicesnewusanet.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

13.224.193.70

dk8g5exin21my.cloudfront.net

United States

Details

IP:	13.224.193.70
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	dk8g5exin21my.cloudfront.net

216.58.212.161

googlehosted.l.googleusercontent.com

United States

Details

IP:	216.58.212.161
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\internet explorer\iexplore.exe

{8A846DAC-D3C0-11EB-90E4-ECF4BB862DED}

C:\Program Files\internet explorer\iexplore.exe

AdminActive

C:\Program Files\internet explorer\iexplore.exe

Type

C:\Program Files\internet explorer\iexplore.exe

Flags

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

There are 14 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1D227A00000

unkown

page readonly

1D227EA0000

unkown

page readonly

1D227902000

unkown

page read and write

7FF54B8DC000

unkown

page readonly

1D22783C000

unkown

page read and write

7FF54B8A1000

unkown

page readonly

7FF54B560000

unkown

page readonly

1D228200000

unkown

page readonly

7FF54B8A7000

unkown

page readonly

1D22784E000

unkown

page read and write

7FF54BA00000

unkown

page readonly

B4984FE000

unkown

page read and write

1D227700000

unkown

page readonly

7FF54B9D6000

unkown

page readonly

1D227800000

unkown

page read and write

B4987FF000

unkown

page read and write

7FF54B9CD000

unkown

page readonly

7FF54B978000

unkown

page readonly

7FF54B858000

unkown

page readonly

7FF54B78A000

unkown

page readonly

1D2277D0000

unkown

page readonly

B4985F7000

unkown

page read and write

7FF54B570000

unkown

page readonly

B497FBE000

unkown

page read and write

7FF54B87D000

unkown

page readonly

7FF54B98A000

unkown

page readonly

7FF54B976000

unkown

page readonly

1D227813000

unkown

page read and write

1D228002000

unkown

page read and write

7FF54BA69000

unkown

page readonly

7FF54B55A000

unkown

page readonly

B497F3C000

unkown

page read and write

7FF54B82E000

unkown

page readonly

7FF54B9A5000

unkown

page readonly

1D227802000

unkown

page read and write

7FF54B9AF000

unkown

page readonly

B49847B000

unkown

page read and write

7FF54B7EF000

unkown

page readonly

B49827E000

unkown

page read and write

7FF54BA69000

unkown

page readonly

7FF54B962000

unkown

page readonly

1D227690000

heap private

page read and write

1D22782A000

unkown

page read and write

7FF54B9EC000

unkown

page readonly

7FF54BA61000

unkown

page readonly

1D2277E0000

unkown

page readonly

7FF54B9E6000

unkown

page readonly

7FF54B9DC000

unkown

page readonly

1D227913000

unkown

page read and write

7FF54B873000

unkown

page readonly

1D227854000

unkown

page read and write

7FF54B972000

unkown

page readonly

1D2276F0000

heap default

page read and write

7FF54B960000

unkown

page readonly

7FF54B9B9000

unkown

page readonly

1D227908000

unkown

page read and write

B4986FE000

unkown

page read and write

7FF54B99E000

unkown

page readonly

1D227882000

unkown

page read and write

1D227871000

unkown

page read and write

7FF54BA5E000

unkown

page readonly

7FF54BA07000

unkown

page readonly

7FF54BA04000

unkown

page readonly

7FF54B83A000

unkown

page readonly

7FF54B9F5000

unkown

page readonly

1D2277F0000

unkown

page read and write

There are 56 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

https://pr.cremationservicesnewusanet.com/?backfill=0&KW1=Cremation+Cost&KW2=Cremation+Without+A+Funeral&KW3=Inexpensive+Cremation&KW4=Prepaid+Cremation+Plans&KW5=Cremation+Services+Near+Me&KW6=Affordable+Burial+%26+Cremation+Service&domainname=0&searchbox=0&subid1=7e06d0f70b5db364b643d21345d1260a986e6860ce7304569bc041b0a5aeb045&track_id=7e06d0f70b5db364b643d21345d1260a986e6860ce7304569bc041b0a5aeb045&kcoptimize=1&theme=DoriPlus

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML