IOC Report
https://corp4.sharepoint.com/sites/TEA-IPRO-ES-ALL-OTF/List1/pendingreq.aspx?mbypass=1&ApproveAccessRequest=false&AccessRequestID=%7B897A0AEC%2DD338%2D4470%2D8DCF%2DDE0EE0657E05%7D

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 5 11:14:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 5 11:14:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 5 11:14:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 5 11:14:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Sep 5 11:14:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 102

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864

downloaded

Chrome Cache Entry: 104

MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors

dropped

Chrome Cache Entry: 80

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 141866

dropped

Chrome Cache Entry: 81

HTML document, ASCII text, with very long lines (3450), with CRLF line terminators

downloaded

Chrome Cache Entry: 82

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651

downloaded

Chrome Cache Entry: 84

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 56820

dropped

Chrome Cache Entry: 85

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113401

downloaded

Chrome Cache Entry: 87

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 406986

downloaded

Chrome Cache Entry: 88

ASCII text, with very long lines (64616)

downloaded

Chrome Cache Entry: 90

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 119648

downloaded

Chrome Cache Entry: 92

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592

downloaded

Chrome Cache Entry: 93

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 11970

dropped

Chrome Cache Entry: 94

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113769

downloaded

Chrome Cache Entry: 95

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 9285

downloaded

Chrome Cache Entry: 99

ASCII text, with no line terminators

downloaded

There are 12 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://corp4.sharepoint.com/sites/TEA-IPRO-ES-ALL-OTF/List1/pendingreq.aspx?mbypass=1&ApproveAccessRequest=false&AccessRequestID=%7B897A0AEC%2DD338%2D4470%2D8DCF%2DDE0EE0657E05%7D

Details

Filetype:	URL
Filename:	https://corp4.sharepoint.com/sites/TEA-IPRO-ES-ALL-OTF/List1/pendingreq.aspx?mbypass=1&ApproveAccessRequest=false&AccessRequestID=%7B897A0AEC%2DD338%2D4470%2D8DCF%2DDE0EE0657E05%7D

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML body contains password input	Phishing
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://login.microsoftonline.com/8c433003-a081-4dfb-a631-100526250b1a/oauth2/authorize?client%5Fid=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&response%5Fmode=form%5Fpost&response%5Ftype=code%20id%5Ftoken&resource=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&scope=openid&nonce=C6E44A603FB6C4B37244DD272F7D8EC3098BE601E7EF16DB%2D634F01399781BE296AE5F28234A5FFFADB8F580A2DDBACE402E3B5F8B10E4A50&redirect%5Furi=https%3A%2F%2Fcorp4%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&state=OD0w&claims=%7B%22id%5Ftoken%22%3A%7B%22xms%5Fcc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D&wsucxt=1&cobrandid=11bd8083%2D87e0%2D41b5%2Dbb78%2D0bc43c8a8e8a&client%2Drequest%2Did=88444da1%2Dd0ff%2D3000%2Dc107%2D6f90e74ca5f7&sso_reload=true

Details

Name:	https://login.microsoftonline.com/8c433003-a081-4dfb-a631-100526250b1a/oauth2/authorize?client%5Fid=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&response%5Fmode=form%5Fpost&response%5Ftype=code%20id%5Ftoken&resource=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&scope=openid&nonce=C6E44A603FB6C4B37244DD272F7D8EC3098BE601E7EF16DB%2D634F01399781BE296AE5F28234A5FFFADB8F580A2DDBACE402E3B5F8B10E4A50&redirect%5Furi=https%3A%2F%2Fcorp4%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&state=OD0w&claims=%7B%22id%5Ftoken%22%3A%7B%22xms%5Fcc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D&wsucxt=1&cobrandid=11bd8083%2D87e0%2D41b5%2Dbb78%2D0bc43c8a8e8a&client%2Drequest%2Did=88444da1%2Dd0ff%2D3000%2Dc107%2D6f90e74ca5f7&sso_reload=true
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
HTML body contains password input	Phishing
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://login.microsoftonline.com/8c433003-a081-4dfb-a631-100526250b1a/oauth2/authorize?client%5Fid=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&response%5Fmode=form%5Fpost&response%5Ftype=code%20id%5Ftoken&resource=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&scope=openid&nonce=C6E44A603FB6C4B37244DD272F7D8EC3098BE601E7EF16DB%2D634F01399781BE296AE5F28234A5FFFADB8F580A2DDBACE402E3B5F8B10E4A50&redirect%5Furi=https%3A%2F%2Fcorp4%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&state=OD0w&claims=%7B%22id%5Ftoken%22%3A%7B%22xms%5Fcc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D&wsucxt=1&cobrandid=11bd8083%2D87e0%2D41b5%2Dbb78%2D0bc43c8a8e8a&client%2Drequest%2Did=88444da1%2Dd0ff%2D3000%2Dc107%2D6f90e74ca5f7

Details

Name:	https://login.microsoftonline.com/8c433003-a081-4dfb-a631-100526250b1a/oauth2/authorize?client%5Fid=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&response%5Fmode=form%5Fpost&response%5Ftype=code%20id%5Ftoken&resource=00000003%2D0000%2D0ff1%2Dce00%2D000000000000&scope=openid&nonce=C6E44A603FB6C4B37244DD272F7D8EC3098BE601E7EF16DB%2D634F01399781BE296AE5F28234A5FFFADB8F580A2DDBACE402E3B5F8B10E4A50&redirect%5Furi=https%3A%2F%2Fcorp4%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&state=OD0w&claims=%7B%22id%5Ftoken%22%3A%7B%22xms%5Fcc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D&wsucxt=1&cobrandid=11bd8083%2D87e0%2D41b5%2Dbb78%2D0bc43c8a8e8a&client%2Drequest%2Did=88444da1%2Dd0ff%2D3000%2Dc107%2D6f90e74ca5f7
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

Domains

Name

IP

Malicious

s-part-0016.t-0009.t-msedge.net

13.107.246.44

195747-ipv4v6.farm.dprodmgd106.aa-rt.sharepoint.com

52.105.216.39

s-part-0017.t-0009.t-msedge.net

13.107.246.45

sni1gl.wpc.omegacdn.net

152.199.21.175

www.google.com

172.217.23.100

Details

Name:	www.google.com
IP:	172.217.23.100
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

corp4.sharepoint.com

unknown

Details

Name:	corp4.sharepoint.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

identity.nel.measure.office.net

unknown

aadcdn.msftauth.net

unknown

login.microsoftonline.com

unknown

IPs

IP

Domain

Country

Malicious

13.107.246.45

s-part-0017.t-0009.t-msedge.net

United States

13.107.246.44

s-part-0016.t-0009.t-msedge.net

United States

172.217.18.4

unknown

United States

192.168.2.16

unknown

unknown

52.105.216.39

195747-ipv4v6.farm.dprodmgd106.aa-rt.sharepoint.com

United States

239.255.255.250

unknown

Reserved

20.190.159.2

unknown

United States

172.217.23.100

www.google.com

United States

142.250.186.131

unknown

United States

142.250.186.142

unknown

United States

152.199.21.175

sni1gl.wpc.omegacdn.net

United States

2.16.238.149

unknown

European Union

216.58.212.163

unknown

United States

40.126.32.136

unknown

United States

142.250.185.74

unknown

United States

40.126.32.138

unknown

United States

66.102.1.84

unknown

United States

There are 7 hidden IPs, click here to show them.