Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 08:22:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 08:22:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.988191639046668
Encrypted:	false
Size:	2673
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 08:22:25 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9895581484779217
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Chrome Cache Entry: 62

ASCII text, with no line terminators

downloaded

Details

File:	Chrome Cache Entry: 62
Category:	downloaded
Dump:	chromecache_62.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with no line terminators
Entropy:	3.75
Encrypted:	false
Size:	16
Whitelisted:	false

Chrome Cache Entry: 63

PNG image data, 974 x 436, 8-bit/color RGBA, non-interlaced

downloaded

Details

File:	Chrome Cache Entry: 63
Category:	downloaded
Dump:	chromecache_63.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PNG image data, 974 x 436, 8-bit/color RGBA, non-interlaced
Entropy:	7.887521380123717
Encrypted:	false
Size:	45372
Whitelisted:	false

Chrome Cache Entry: 64

HTML document, ASCII text

downloaded

Details

File:	Chrome Cache Entry: 64
Category:	downloaded
Dump:	chromecache_64.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text
Entropy:	4.734865698937219
Encrypted:	false
Size:	2342
Whitelisted:	false

Chrome Cache Entry: 65

gzip compressed data, from Unix, original size modulo 2^32 895

downloaded

Details

File:	Chrome Cache Entry: 65
Category:	downloaded
Dump:	chromecache_65.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	gzip compressed data, from Unix, original size modulo 2^32 895
Entropy:	7.471768967687456
Encrypted:	false
Size:	424
Whitelisted:	false

Chrome Cache Entry: 66

gzip compressed data, from Unix, original size modulo 2^32 1140

downloaded

Details

File:	Chrome Cache Entry: 66
Category:	downloaded
Dump:	chromecache_66.1.dr
ID:	dr_6
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	gzip compressed data, from Unix, original size modulo 2^32 1140
Entropy:	7.5471271987961694
Encrypted:	false
Size:	480
Whitelisted:	false

Chrome Cache Entry: 68

PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	Chrome Cache Entry: 68
Category:	dropped
Dump:	chromecache_68.1.dr
ID:	dr_7
Target ID:	1
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced
Entropy:	7.949120703870044
Encrypted:	false
Size:	4119
Whitelisted:	false

URLs

Name

Malicious

https://tampoesdeferrofundido.com.br/redirect.php?v=2455b0ad034ad02

Details

Filetype:	URL
Filename:	https://tampoesdeferrofundido.com.br/redirect.php?v=2455b0ad034ad02

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Phishing site detected (based on image similarity)	Phishing
Detected non-DNS traffic on DNS port	Networking
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://platypustours.net.au/8G56zf/

Details

Name:	https://platypustours.net.au/8G56zf/
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Phishing site detected (based on image similarity)	Phishing
HTML page is missing a favicon	Phishing

Domains

Name

Malicious

platypustours.net.au

192.185.12.190

Details

Name:	platypustours.net.au
IP:	192.185.12.190
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

tampoesdeferrofundido.com.br

194.163.179.79

Details

Name:	tampoesdeferrofundido.com.br
IP:	194.163.179.79
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.250.185.196

Details

Name:	www.google.com
IP:	142.250.185.196
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

192.185.12.190

platypustours.net.au

United States

74.125.206.84

unknown

United States

142.250.186.78

unknown

United States

1.1.1.1

unknown

Australia

239.255.255.250

unknown

Reserved

142.250.185.196

www.google.com

United States

142.250.185.195

unknown

United States

216.58.206.67

unknown

United States

192.168.2.16

unknown

194.163.179.79

tampoesdeferrofundido.com.br

Germany

142.250.185.74

unknown

United States

216.58.206.46

unknown

United States

There are 2 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://tampoesdeferrofundido.com.br/redirect.php?v=2455b0ad034ad02

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://tampoesdeferrofundido.com.br/redirect.php?v=2455b0ad034ad02

Files

URLs

Domains

IPs

IOC Report
https://tampoesdeferrofundido.com.br/redirect.php?v=2455b0ad034ad02