IOC Report
https://url.us.m.mimecastprotect.com/s/-oP7C9rL1Juk5KJwqcof9CqWq9D?domain=koszielaman.info/

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 08:24:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 08:24:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 08:24:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 08:24:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 08:24:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 100

Unicode text, UTF-8 text, with very long lines (7988)

downloaded

Chrome Cache Entry: 104

PNG image data, 254 x 120, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 105

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 106

ASCII text, with very long lines (1572)

downloaded

Chrome Cache Entry: 107

ASCII text, with very long lines (3529), with no line terminators

downloaded

Chrome Cache Entry: 108

Web Open Font Format (Version 2), TrueType, length 48236, version 1.0

downloaded

Chrome Cache Entry: 109

HTML document, ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 112

ASCII text, with very long lines (2299), with no line terminators

downloaded

Chrome Cache Entry: 113

ASCII text, with very long lines (65536), with no line terminators

dropped

Chrome Cache Entry: 115

JSON data

downloaded

Chrome Cache Entry: 117

ASCII text

downloaded

Chrome Cache Entry: 118

HTML document, ASCII text, with very long lines (2084)

downloaded

Chrome Cache Entry: 119

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 120

WebAssembly (wasm) binary module version 0x1 (MVP)

downloaded

Chrome Cache Entry: 122

ASCII text, with very long lines (344)

dropped

Chrome Cache Entry: 123

ASCII text, with very long lines (57597)

downloaded

Chrome Cache Entry: 124

HTML document, ASCII text

downloaded

Chrome Cache Entry: 125

ASCII text

downloaded

Chrome Cache Entry: 88

HTML document, ASCII text

dropped

Chrome Cache Entry: 89

MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel

downloaded

Chrome Cache Entry: 92

PNG image data, 1304 x 222, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 93

MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel

dropped

Chrome Cache Entry: 94

HTML document, ASCII text, with very long lines (2084)

downloaded

Chrome Cache Entry: 95

ASCII text, with very long lines (36973), with no line terminators

dropped

There are 21 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://url.us.m.mimecastprotect.com/s/-oP7C9rL1Juk5KJwqcof9CqWq9D?domain=koszielaman.info/

Details

Filetype:	URL
Filename:	https://url.us.m.mimecastprotect.com/s/-oP7C9rL1Juk5KJwqcof9CqWq9D?domain=koszielaman.info/

Signature Hits	Behavior Group	Mitre Attack
Detected non-DNS traffic on DNS port	Networking	Extra Window Memory Injection
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing	Extra Window Memory Injection
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://security-us.mimecast.com/mimecast-bi-web-portal/app/bi?info=bTldCcxbCYYJ00pINk88z_VxHo9nx4IN7IWL7KM4GVWFYuTLcJEAnmrGupznTLJr&reason=SessionError

https://3.us-1.isolation.mimecastprotect.com/?sessionID=035933a8fda90dfd6543

Domains

Name

IP

Malicious

url.us.m.mimecastprotect.com

205.139.111.113

Details

Name:	url.us.m.mimecastprotect.com
IP:	205.139.111.113
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

security-us.mimecast.com

205.139.110.99

Details

Name:	security-us.mimecast.com
IP:	205.139.110.99
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

216.58.212.132

Details

Name:	www.google.com
IP:	216.58.212.132
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

3.us-1.isolation.mimecastprotect.com

207.211.30.130

Details

Name:	3.us-1.isolation.mimecastprotect.com
IP:	207.211.30.130
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

IP

Domain

Country

Malicious

1.1.1.1

unknown

Australia

108.177.15.84

unknown

United States

216.58.212.131

unknown

United States

207.211.31.119

unknown

United States

216.58.212.132

www.google.com

United States

205.139.111.113

url.us.m.mimecastprotect.com

United States

172.217.16.206

unknown

United States

192.168.2.17

unknown

unknown

172.217.23.106

unknown

United States

142.250.185.227

unknown

United States

192.168.2.11

unknown

unknown

239.255.255.250

unknown

Reserved

142.250.185.163

unknown

United States

205.139.110.99

security-us.mimecast.com

United States

172.217.18.110

unknown

United States

207.211.30.130

3.us-1.isolation.mimecastprotect.com

United States

There are 6 hidden IPs, click here to show them.