Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	5856
Target ID:	0
Parent PID:	2516
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	15:17:03
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	5408
Target ID:	2
Parent PID:	5856
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	15:17:06
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://helawok.x-sns.cloud/"

Details

Is windows:	true
Is dropped:	false
PID:	6396
Target ID:	3
Parent PID:	2516
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://helawok.x-sns.cloud/"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	15:17:08
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://helawok.x-sns.cloud/

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_117b650bccea354984d8.js

172.233.53.209

https://helawok.x-sns.cloud/cdn-cgi/challenge-platform/scripts/jsd/main.js

172.64.149.213

https://okvanguardofficelogin.x-sns.cloud/acb15722230e4dd094b9ec1a7f7ebb27/

172.233.53.209

https://l1ve.x-sns.cloud/Me.htm?v=3

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/js/ConvergedLogin_PCore_64Z6dmvJd_mCK0LlAXyiHg2.js

172.233.53.209

https://18f930cb-acb15722.x-sns.cloud/Prefetch/Prefetch.aspx

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico

172.233.53.209

https://helawok.x-sns.cloud/

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_4285088f1dbaf52a876d.js

172.233.53.209

https://okvanguardofficelogin.x-sns.cloud/favicon.ico

172.233.53.209

https://04a63513-acb15722.x-sns.cloud/api/report?catId=GW+estsfd+frc

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg

172.233.53.209

https://36f920fd-acb15722.x-sns.cloud/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_1yb3e7oii5t28dgo4xrtow2.js

172.233.53.209

https://helawok.x-sns.cloud/cdn-cgi/challenge-platform/h/b/jsd/r/8d08f2f35a7332c7

172.64.149.213

https://024cc40a-acb15722.x-sns.cloud/shared/1.0/content/js/BssoInterrupt_Core_JQnUxWSvwsd9FrpspQmznw2.js

172.233.53.209

https://helawok.x-sns.cloud/cdn-cgi/challenge-platform/h/b/scripts/jsd/62ec4f065604/main.js?

172.64.149.213

https://g.fastcdn.co/js/cm.js

104.18.41.218

https://v.fastcdn.co/u/33332e5f/65201939-0-H.png

172.64.146.38

http://bit.ly/sp-js)

unknown

https://github.com/zloirock/core-js

unknown

https://g.fastcdn.co/js/Links.c1a9dcf75cfbd1ae01c0.js

104.18.41.218

https://ec.instapagemetrics.com/t/two

172.67.185.227

https://app.instapage.com/ajax/pageserver/files/serve-file

unknown

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb

https://ec.instapagemetrics.com

unknown

https://g.fastcdn.co/js/utils.bcf03997485feb49f2c7.js

104.18.41.218

https://g.fastcdn.co/js/LazyImage.77b7aec17419c3045fee.js

104.18.41.218

https://github.com/zloirock/core-js/blob/v3.21.1/LICENSE

unknown

https://g.fastcdn.co/js/sptw.051afd940be1c95d0063.js

104.18.41.218

https://ec.instapagemetrics.com/t/two?3thpc=true

172.67.185.227

https://g.fastcdn.co/js/Cradle.904200e3dbc62d5b0155.js

104.18.41.218

https://cdn.instapagemetrics.com/t/js/3/it.js

34.36.17.181

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb

unknown

https://helawok.x-sns.cloud

unknown

There are 27 hidden URLs, click here to show them.

Domains

Name

Malicious

18f930cb-acb15722.x-sns.cloud

172.233.53.209

36f920fd-acb15722.x-sns.cloud

172.233.53.209

okvanguardofficelogin.x-sns.cloud

172.233.53.209

024cc40a-acb15722.x-sns.cloud

172.233.53.209

04a63513-acb15722.x-sns.cloud

172.233.53.209

l1ve.x-sns.cloud

172.233.53.209

secure.pageserve.co

172.64.149.213

cdn.instapagemetrics.com

34.36.17.181

v.fastcdn.co

172.64.146.38

fp2e7a.wpc.phicdn.net

192.229.221.95

g.fastcdn.co

104.18.41.218

bg.microsoft.map.fastly.net

199.232.210.172

www.google.com

216.58.206.68

ec.instapagemetrics.com

172.67.185.227

s-part-0032.t-0009.t-msedge.net

13.107.246.60

helawok.x-sns.cloud

unknown

There are 6 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

172.233.53.209

18f930cb-acb15722.x-sns.cloud

United States

192.168.2.4

unknown

172.67.185.227

ec.instapagemetrics.com

United States

34.36.17.181

cdn.instapagemetrics.com

United States

172.64.149.213

secure.pageserve.co

United States

104.18.38.43

unknown

United States

216.58.206.68

www.google.com

United States

104.18.41.218

g.fastcdn.co

United States

239.255.255.250

unknown

Reserved

172.64.146.38

v.fastcdn.co

United States

142.250.181.228

unknown

United States

There are 1 hidden IPs, click here to show them.

DOM / HTML

URL

Malicious

https://helawok.x-sns.cloud/

Details

Filename:	0.0.pages.html.dom
Url:	https://helawok.x-sns.cloud/
Target ID:	2
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
AI detected landing page (webpage, office document or email)	Persistence and Installation Behavior	Browser Extensions

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb

Details

Filename:	1.3.pages.html.dom
Url:	https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb
Target ID:	2
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true

Details

Filename:	2.4.pages.html.dom
Url:	https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true
Target ID:	2
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true

Details

Filename:	2.6.pages.html.dom
Url:	https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true
Target ID:	2
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
Yara detected HtmlPhish54	Phishing

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true

Details

Filename:	2.8.pages.html.dom
Url:	https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true
Target ID:	2
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=2388,i,7891156904035973045,4333935852888309243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

https://helawok.x-sns.cloud/

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb

https://okvanguardofficelogin.x-sns.cloud/?0tB=gvEvb&sso_reload=true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://helawok.x-sns.cloud/

Files

Processes

URLs

Domains

IPs

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://helawok.x-sns.cloud/

Files

Processes

URLs

Domains

IPs

DOM / HTML

IOC Report
https://helawok.x-sns.cloud/