IOC Report
https://eu.docusign.net/Signing/EmailStart.aspx?a=fda42e60-d786-47e1-bd4d-cefd28143f0a&etti=24&acct=ac54d6d4-2396-463d-a7b0-d065df9f63da&er=d553e8f2-760d-4734-ac30-816baca506d7

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:13:00 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:13:00 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:13:00 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:13:00 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:13:00 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 102

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 103

ASCII text

downloaded

Chrome Cache Entry: 104

gzip compressed data, from Unix, original size modulo 2^32 464380

downloaded

Chrome Cache Entry: 107

PNG image data, 79 x 79, 8-bit/color RGB, non-interlaced

downloaded

Chrome Cache Entry: 108

Web Open Font Format, CFF, length 33752, version 0.0

downloaded

Chrome Cache Entry: 109

PNG image data, 45 x 40, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 110

ASCII text, with very long lines (14047), with CRLF line terminators

downloaded

Chrome Cache Entry: 111

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 112

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 113

GIF image data, version 89a, 60 x 60

dropped

Chrome Cache Entry: 115

ASCII text, with very long lines (32029), with CRLF line terminators

downloaded

Chrome Cache Entry: 119

Web Open Font Format, CFF, length 34820, version 0.0

downloaded

Chrome Cache Entry: 120

PNG image data, 28 x 31, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 123

ASCII text

downloaded

Chrome Cache Entry: 125

PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 89

ASCII text, with very long lines (3196), with CRLF line terminators

downloaded

Chrome Cache Entry: 91

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 93

PNG image data, 1696 x 1294, 8-bit/color RGBA, interlaced

dropped

Chrome Cache Entry: 94

ASCII text

downloaded

Chrome Cache Entry: 95

ASCII text, with very long lines (4056), with no line terminators

dropped

Chrome Cache Entry: 96

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 99

PNG image data, 10 x 10, 8-bit/color RGBA, non-interlaced

dropped

There are 19 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://eu.docusign.net/Signing/EmailStart.aspx?a=fda42e60-d786-47e1-bd4d-cefd28143f0a&etti=24&acct=ac54d6d4-2396-463d-a7b0-d065df9f63da&er=d553e8f2-760d-4734-ac30-816baca506d7

Details

Filetype:	URL
Filename:	https://eu.docusign.net/Signing/EmailStart.aspx?a=fda42e60-d786-47e1-bd4d-cefd28143f0a&etti=24&acct=ac54d6d4-2396-463d-a7b0-d065df9f63da&er=d553e8f2-760d-4734-ac30-816baca506d7

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML page contains hidden javascript code	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Submit button contains javascript call	Phishing	Scripting
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML body contains password input	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://eu.docusign.net/Signing/ActivateSecurityChecks.aspx?a=d77b1698-e8d2-4089-8a86-748f8fc409db&ti=a168a2f13c0848abadc581c399ffa05b

Details

Name:	https://eu.docusign.net/Signing/ActivateSecurityChecks.aspx?a=d77b1698-e8d2-4089-8a86-748f8fc409db&ti=a168a2f13c0848abadc581c399ffa05b
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML page contains hidden javascript code	Phishing
Submit button contains javascript call	Phishing	Scripting
HTML body contains password input	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

Domains

Name

IP

Malicious

rpxnow.com

34.194.220.181

Details

Name:	rpxnow.com
IP:	34.194.220.181
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.250.185.132

Details

Name:	www.google.com
IP:	142.250.185.132
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

d29usylhdk1xyu.cloudfront.net

18.164.52.68

Details

Name:	d29usylhdk1xyu.cloudfront.net
IP:	18.164.52.68
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

api.mixpanel.com

35.190.25.25

Details

Name:	api.mixpanel.com
IP:	35.190.25.25
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

docj27ko03fnu.cloudfront.net

18.172.112.60

Details

Name:	docj27ko03fnu.cloudfront.net
IP:	18.172.112.60
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

quilt-cdn.janrain.com

unknown

eu.docusign.net

unknown

Details

Name:	eu.docusign.net
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

docucdn-a.akamaihd.net

unknown

IPs

IP

Domain

Country

Malicious

142.250.186.67

unknown

United States

18.172.112.38

unknown

United States

142.250.185.67

unknown

United States

35.186.241.51

unknown

United States

1.1.1.1

unknown

Australia

34.194.220.181

rpxnow.com

United States

216.58.206.74

unknown

United States

172.217.16.206

unknown

United States

192.168.2.17

unknown

unknown

173.194.76.84

unknown

United States

142.250.185.132

www.google.com

United States

13.224.189.58

unknown

United States

2.19.126.135

unknown

European Union

35.190.25.25

api.mixpanel.com

United States

239.255.255.250

unknown

Reserved

18.172.112.60

docj27ko03fnu.cloudfront.net

United States

142.250.185.142

unknown

United States

18.164.52.68

d29usylhdk1xyu.cloudfront.net

United States

2.18.64.4

unknown

European Union

185.81.100.28

unknown

Germany

2.20.245.140

unknown

European Union

There are 11 hidden IPs, click here to show them.