Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Chrome Cache Entry: 132

ASCII text, with very long lines (65446)

dropped

Chrome Cache Entry: 133

ASCII text, with very long lines (16730)

downloaded

Chrome Cache Entry: 134

Unicode text, UTF-8 text, with very long lines (62585), with LF, NEL line terminators

dropped

Chrome Cache Entry: 135

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 138

ASCII text, with very long lines (65440)

dropped

Chrome Cache Entry: 140

ASCII text

dropped

Chrome Cache Entry: 143

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 145

Unicode text, UTF-8 text, with very long lines (16131)

downloaded

Chrome Cache Entry: 146

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 147

ASCII text, with very long lines (65438)

downloaded

Chrome Cache Entry: 148

ASCII text, with very long lines (65443)

dropped

Chrome Cache Entry: 151

Unicode text, UTF-8 text, with very long lines (65442)

dropped

Chrome Cache Entry: 155

HTML document, ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 157

Unicode text, UTF-8 text, with very long lines (63904), with LF, NEL line terminators

dropped

Chrome Cache Entry: 158

Unicode text, UTF-8 text, with very long lines (48118)

dropped

Chrome Cache Entry: 159

Unicode text, UTF-8 text, with very long lines (65448)

dropped

Chrome Cache Entry: 160

ASCII text, with very long lines (7936)

dropped

Chrome Cache Entry: 161

ASCII text, with very long lines (21531)

downloaded

Chrome Cache Entry: 163

HTML document, ASCII text, with very long lines (332), with CRLF line terminators

downloaded

Chrome Cache Entry: 165

Web Open Font Format, TrueType, length 47748, version 1.0

downloaded

Chrome Cache Entry: 166

ASCII text, with very long lines (10743)

dropped

Chrome Cache Entry: 167

Web Open Font Format, TrueType, length 13780, version 1.0

downloaded

Chrome Cache Entry: 168

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 169

ASCII text, with very long lines (10456)

dropped

Chrome Cache Entry: 170

Unicode text, UTF-8 text, with very long lines (65456)

dropped

Chrome Cache Entry: 173

ASCII text, with very long lines (16402)

dropped

Chrome Cache Entry: 174

PNG image data, 79 x 79, 8-bit/color RGB, non-interlaced

downloaded

Chrome Cache Entry: 176

ASCII text, with very long lines (65443)

downloaded

Chrome Cache Entry: 177

very short file (no magic)

downloaded

Chrome Cache Entry: 178

Web Open Font Format, CFF, length 33752, version 0.0

downloaded

Chrome Cache Entry: 180

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 181

ASCII text, with very long lines (9326)

downloaded

Chrome Cache Entry: 182

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 183

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 184

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 185

ASCII text, with very long lines (24945)

dropped

Chrome Cache Entry: 186

PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 190

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 191

GIF image data, version 89a, 44 x 44

dropped

Chrome Cache Entry: 194

Unicode text, UTF-8 text, with very long lines (31005)

dropped

Chrome Cache Entry: 196

Unicode text, UTF-8 text, with very long lines (62224)

downloaded

Chrome Cache Entry: 202

ASCII text, with very long lines (58219)

downloaded

Chrome Cache Entry: 207

ASCII text, with very long lines (631), with no line terminators

dropped

Chrome Cache Entry: 209

ASCII text, with very long lines (8950)

dropped

Chrome Cache Entry: 212

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 214

ASCII text, with no line terminators

dropped

Chrome Cache Entry: 216

Unicode text, UTF-8 text, with very long lines (65447)

dropped

Chrome Cache Entry: 217

ASCII text, with very long lines (11685)

dropped

Chrome Cache Entry: 219

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 223

Web Open Font Format, TrueType, length 37560, version 1.0

downloaded

Chrome Cache Entry: 224

HTML document, ASCII text, with very long lines (420), with no line terminators

downloaded

Chrome Cache Entry: 226

ASCII text, with very long lines (11764)

downloaded

Chrome Cache Entry: 227

ASCII text, with very long lines (35598)

dropped

Chrome Cache Entry: 228

ASCII text

dropped

Chrome Cache Entry: 229

GIF image data, version 89a, 145 x 60

downloaded

Chrome Cache Entry: 233

Unicode text, UTF-8 text, with very long lines (65169)

dropped

Chrome Cache Entry: 234

SVG Scalable Vector Graphics image

downloaded

There are 48 hidden files, click here to show them.

URLs

Name

Malicious

https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b

Details

Filetype:	URL
Filename:	https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b

Signature Hits	Behavior Group	Mitre Attack
AI detected landing page (webpage, office document or email)	Persistence and Installation Behavior	Browser Extensions
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)	Phishing	Scripting Deobfuscate/Decode Files or Information
Detected non-DNS traffic on DNS port	Networking
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://ca.docusign.net/Signing/?ti=1c89f53b54dd4e79bb69deb1114abc6b

Details

Name:	https://ca.docusign.net/Signing/?ti=1c89f53b54dd4e79bb69deb1114abc6b
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected landing page (webpage, office document or email)	Persistence and Installation Behavior	Browser Extensions
HTML page is missing a favicon	Phishing

https://cmedthai.com/n/?c3Y9bzM2NV8xX3NwJnJhbmQ9ZW5kbFVsRT0mdWlkPVVTRVIyNjA3MjAyNFVOSVFVRTAzNDQwNzI2NTIyMDI0MjAyNDA3MjY0NDAzNTI=N0123N

Domains

Name

Malicious

cmedthai.com

203.78.107.122

Details

Name:	cmedthai.com
IP:	203.78.107.122
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.250.186.164

Details

Name:	www.google.com
IP:	142.250.186.164
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

api.mixpanel.com

35.190.25.25

Details

Name:	api.mixpanel.com
IP:	35.190.25.25
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

arya-1323461286.us-west-2.elb.amazonaws.com

52.32.246.233

a.docusign.com

unknown

docucdn-a.akamaihd.net

unknown

ca.docusign.net

unknown

Details

Name:	ca.docusign.net
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

142.250.186.35

unknown

United States

1.1.1.1

unknown

Australia

216.58.206.78

unknown

United States

192.168.2.16

unknown

2.19.126.227

unknown

European Union

203.78.107.122

cmedthai.com

Thailand

64.233.166.84

unknown

United States

35.190.25.25

api.mixpanel.com

United States

239.255.255.250

unknown

Reserved

142.250.185.163

unknown

United States

52.32.246.233

arya-1323461286.us-west-2.elb.amazonaws.com

United States

142.250.186.164

www.google.com

United States

52.235.59.100

unknown

United States

142.250.186.42

unknown

United States

172.217.16.142

unknown

United States

52.235.63.109

unknown

United States

There are 6 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b

Files

URLs

Domains

IPs

IOC Report
https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b