Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\35e444ac-d414-4924-a0ca-ad3f03162556.tmp

JSON data

modified

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

JSON data

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

data

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.848

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

JSON data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\77D5B85C-2EA8-48DE-959D-29F2DE8FA75F

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

SQLite 3.x database, user version 1, last written using SQLite version 3034001, writer version 2, read version 2, file counter 3, database pages 6, cookie 0x3, schema 4, largest root page 6, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

SQLite Write-Ahead Log, version 3007000

dropped

C:\Users\user\AppData\Local\Temp\7945E02E.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728331152684970900_87B58BA3-C8F4-44AD-AE32-2878954F88A1.log

ASCII text, with very long lines (28729), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241007T1559120458-4404.etl

data

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-07 15-59-24-720.log

ASCII text, with very long lines (393)

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

ASCII text, with very long lines (392), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:58:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

C:\Users\user\Desktop\~$PALRGUCVEH.xlsx

data

dropped

Chrome Cache Entry: 1061

HTML document, ASCII text

downloaded

Chrome Cache Entry: 1062

ASCII text

downloaded

There are 28 hidden files, click here to show them.

URLs

Name

Malicious

https://www.ontariotenants.ca/index.phtml

Details

Filetype:	URL
Filename:	https://www.ontariotenants.ca/index.phtml

Signature Hits	Behavior Group	Mitre Attack
Detected non-DNS traffic on DNS port	Networking	Extra Window Memory Injection
Sigma detected: Excel Network Connections	System Summary	Extra Window Memory Injection Masquerading
Sigma detected: Suspicious Office Outbound Connections	System Summary	Extra Window Memory Injection
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Extra Window Memory Injection
Performs DNS lookups	Networking	Non-Application Layer Protocol
Queries a list of all running processes	Malware Analysis System Evasion	Extra Window Memory Injection Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	Extra Window Memory Injection File and Directory Discovery
Reads software policies	System Summary
Runs a DLL by calling functions	System Summary	Extra Window Memory Injection Rundll32
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Checks if Microsoft Office is installed	System Summary	System Information Discovery
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary
Tries to open an application configuration file (.cfg)	System Summary

https://www.ontariotenants.ca/index.phtml

Domains

Name

Malicious

chrome.cloudflare-dns.com

162.159.61.3

ontariotenants.ca

204.15.190.195

Details

Name:	ontariotenants.ca
IP:	204.15.190.195
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

172.217.23.100

Details

Name:	www.google.com
IP:	172.217.23.100
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

s-part-0032.t-0009.t-msedge.net

13.107.246.60

Details

Name:	s-part-0032.t-0009.t-msedge.net
IP:	13.107.246.60
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.ontariotenants.ca

unknown

Details

Name:	www.ontariotenants.ca
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

142.250.185.99

unknown

United States

52.113.194.132

unknown

United States

142.250.185.206

unknown

United States

34.104.35.123

unknown

United States

1.1.1.1

unknown

Australia

172.217.18.14

unknown

United States

52.168.117.175

unknown

United States

192.168.2.16

unknown

13.107.246.60

s-part-0032.t-0009.t-msedge.net

United States

74.125.206.84

unknown

United States

52.109.68.129

unknown

United States

162.159.61.3

chrome.cloudflare-dns.com

United States

239.255.255.250

unknown

Reserved

192.168.2.13

unknown

192.168.2.23

unknown

52.109.28.46

unknown

United States

172.217.23.100

www.google.com

United States

204.15.190.195

ontariotenants.ca

Canada

184.28.90.27

unknown

United States

172.217.16.195

unknown

United States

There are 10 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://www.ontariotenants.ca/index.phtml

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://www.ontariotenants.ca/index.phtml

Files

URLs

Domains

IPs

IOC Report
https://www.ontariotenants.ca/index.phtml