Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\Downloads\DucuSign_23.24_503671.zip (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\Downloads\DucuSign_23.24_503671.zip (copy)
Category:	dropped
Dump:	f4f70771-2909-47d4-925b-9547cffaff10.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	6.514034414945931
Encrypted:	false
Ssdeep:	12:5jinIuORr4PHkq4erhs04rNzIuOpxOqqaH/:9iPzdrF4rNjq
Size:	390
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads suspicious files via Chrome	System Summary

C:\Users\user\AppData\Local\Temp\dkzallen.vew\DucuSign_23.24_503671.PDF.url

Generic INItialization configuration [InternetShortcut]

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\dkzallen.vew\DucuSign_23.24_503671.PDF.url
Category:	dropped
Dump:	DucuSign_23.24_503671.PDF.url.6.dr
ID:	dr_6
Target ID:	6
Process:	C:\Windows\SysWOW64\7za.exe
Type:	Generic INItialization configuration [InternetShortcut]
Entropy:	5.388360527376571
Encrypted:	false
Ssdeep:	6:J254vVG/4xHe6FJQsrI6QYW5W9sQf5oeTckF:3VW4xhFJJMLYbRzz
Size:	229
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\unarchiver.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\unarchiver.log
Category:	dropped
Dump:	unarchiver.log.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Windows\SysWOW64\unarchiver.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090447893233113
Encrypted:	false
Ssdeep:	24:MrIoaDEiJdiJjWIPliJdiJUwTiJfgCiJdiJFT9IIiJb3iJ0IIiJoVIiJmiJdiJxP:bNDEGdGbdGdGpTGoCGdGpuIGb3GZIGcI
Size:	1386
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\Downloads\DucuSign_23.24_503671.zip.crdownload (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\Downloads\DucuSign_23.24_503671.zip.crdownload (copy)
Category:	dropped
Dump:	f4f70771-2909-47d4-925b-9547cffaff10.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	6.514034414945931
Encrypted:	false
Ssdeep:	12:5jinIuORr4PHkq4erhs04rNzIuOpxOqqaH/:9iPzdrF4rNjq
Size:	390
Whitelisted:	false
Reputation:	low

C:\Users\user\Downloads\f4f70771-2909-47d4-925b-9547cffaff10.tmp

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\Downloads\f4f70771-2909-47d4-925b-9547cffaff10.tmp
Category:	dropped
Dump:	f4f70771-2909-47d4-925b-9547cffaff10.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	6.514034414945931
Encrypted:	false
Ssdeep:	12:5jinIuORr4PHkq4erhs04rNzIuOpxOqqaH/:9iPzdrF4rNjq
Size:	390
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Chrome Cache Entry: 47

HTML document, ASCII text, with very long lines (781), with no line terminators

downloaded

Details

File:	Chrome Cache Entry: 47
Category:	downloaded
Dump:	chromecache_47.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text, with very long lines (781), with no line terminators
Entropy:	4.969658206779772
Encrypted:	false
Ssdeep:	24:4HkmG7LOXNZXOAkXgZXiNjIQE31euXZlGI:8G7LOdZ+XQZSNjI71fJ5
Size:	781
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 48

Zip archive data, at least v2.0 to extract, compression method=deflate

downloaded

Details

File:	Chrome Cache Entry: 48
Category:	downloaded
Dump:	chromecache_48.2.dr
ID:	dr_8
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	6.514034414945931
Encrypted:	false
Ssdeep:	12:5jinIuORr4PHkq4erhs04rNzIuOpxOqqaH/:9iPzdrF4rNjq
Size:	390
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	5504
Target ID:	0
Parent PID:	6088
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	10:17:44
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2312,i,1355773766837614093,12017507885534609916,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	4932
Target ID:	2
Parent PID:	5504
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2312,i,1355773766837614093,12017507885534609916,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	10:17:46
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&description=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop"

Details

Is windows:	true
Is dropped:	false
PID:	7072
Target ID:	3
Parent PID:	6088
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&description=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop"
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	10:17:48
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\unarchiver.exe

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\DucuSign_23.24_503671.zip"

Details

Is windows:	true
Is dropped:	false
PID:	3192
Target ID:	5
Parent PID:	5504
Name:	unarchiver.exe
Path:	C:\Windows\SysWOW64\unarchiver.exe
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\DucuSign_23.24_503671.zip"
Size:	12800
MD5:	16FF3CC6CC330A08EED70CBC1D35F5D2
Time:	10:17:56
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf60000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\7za.exe

"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dkzallen.vew" "C:\Users\user\Downloads\DucuSign_23.24_503671.zip"

Details

Is windows:	true
Is dropped:	false
PID:	4184
Target ID:	6
Parent PID:	3192
Name:	7za.exe
Path:	C:\Windows\SysWOW64\7za.exe
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dkzallen.vew" "C:\Users\user\Downloads\DucuSign_23.24_503671.zip"
Size:	289792
MD5:	77E556CDFDC5C592F5C46DB4127C6F4C
Time:	10:17:56
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe40000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5972
Target ID:	7
Parent PID:	4184
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:17:56
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&description=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop

Details

Filetype:	URL
Filename:	https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&description=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop

Signature Hits	Behavior Group	Mitre Attack
Downloads suspicious files via Chrome	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Downloads files from webservers via HTTP	Networking	Ingress Tool Transfer
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses HTTPS	Networking	Encrypted Channel
Uses new MSVCR Dlls	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

52.222.236.19

Details

Name:	https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&description=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop
IP:	52.222.236.19
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

http://goo.gl/Felnhz

unknown

Details

Name:	http://goo.gl/Felnhz
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	chromecache_47.2.dr

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

http://goo.gl/Felnhz&description=I

unknown

Details

Name:	http://goo.gl/Felnhz&description=I
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	chromecache_47.2.dr

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://minbv.shop/

3.128.24.43

https://cdn-prod.fluidconfigure.com/api/legacy/fcs/configureHtml/share/facebook.php?title=Check

unknown

https://minbv.shop

unknown

Details

Name:	https://minbv.shop
TargetID:	2
From Memory:	true
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	chromecache_47.2.dr

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Domains

Name

Malicious

d22xf2qtjwaix4.cloudfront.net

52.222.236.19

Details

Name:	d22xf2qtjwaix4.cloudfront.net
IP:	52.222.236.19
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.250.186.36

Details

Name:	www.google.com
IP:	142.250.186.36
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

minbv.shop

3.128.24.43

Details

Name:	minbv.shop
IP:	3.128.24.43
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

84.201.210.37

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

3.128.24.43

minbv.shop

United States

142.250.186.36

www.google.com

United States

239.255.255.250

unknown

Reserved

52.222.236.19

d22xf2qtjwaix4.cloudfront.net

United States

192.168.2.6

unknown

192.168.2.5

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

17F0000

trusted library allocation

page execute and read and write

1360000

heap

page read and write

15EB000

heap

page read and write

F50000

heap

page read and write

156A000

trusted library allocation

page execute and read and write

565E000

stack

page read and write

12F9000

stack

page read and write

148E000

stack

page read and write

D8D000

stack

page read and write

14EE000

stack

page read and write

DF0000

heap

page read and write

1038000

heap

page read and write

161D000

heap

page read and write

35E8000

trusted library allocation

page read and write

14F0000

heap

page read and write

FFC000

stack

page read and write

4581000

trusted library allocation

page read and write

5B8E000

stack

page read and write

35BA000

trusted library allocation

page read and write

2ACF000

stack

page read and write

E90000

heap

page read and write

1520000

trusted library allocation

page read and write

19C0000

heap

page execute and read and write

EFE000

stack

page read and write

35E3000

trusted library allocation

page read and write

1810000

heap

page read and write

157B000

trusted library allocation

page execute and read and write

15EE000

heap

page read and write

154A000

trusted library allocation

page execute and read and write

5A4D000

stack

page read and write

17DF000

stack

page read and write

122F000

stack

page read and write

154C000

trusted library allocation

page execute and read and write

E3E000

stack

page read and write

EB0000

heap

page read and write

35E6000

trusted library allocation

page read and write

35EF000

trusted library allocation

page read and write

1590000

heap

page read and write

35CA000

trusted library allocation

page read and write

590E000

stack

page read and write

2AD0000

heap

page read and write

1562000

trusted library allocation

page execute and read and write

15B0000

heap

page read and write

153A000

trusted library allocation

page execute and read and write

15E0000

heap

page read and write

12F6000

stack

page read and write

1540000

trusted library allocation

page read and write

17E0000

trusted library allocation

page read and write

14F5000

heap

page read and write

1570000

trusted library allocation

page read and write

19E0000

heap

page read and write

F30000

trusted library allocation

page read and write

3581000

trusted library allocation

page read and write

30FF000

stack

page read and write

1542000

trusted library allocation

page execute and read and write

35D0000

trusted library allocation

page read and write

5A8E000

stack

page read and write

35D5000

trusted library allocation

page read and write

35EC000

trusted library allocation

page read and write

7F240000

trusted library allocation

page execute and read and write

5BCE000

stack

page read and write

35E0000

trusted library allocation

page read and write

35B0000

trusted library allocation

page read and write

2BD0000

trusted library allocation

page read and write

F00000

heap

page read and write

323F000

stack

page read and write

5CCE000

stack

page read and write

1577000

trusted library allocation

page execute and read and write

1440000

heap

page read and write

575E000

stack

page read and write

1532000

trusted library allocation

page execute and read and write

F05000

heap

page read and write

1030000

heap

page read and write

35BC000

trusted library allocation

page read and write

594E000

stack

page read and write

F10000

trusted library allocation

page read and write

580E000

stack

page read and write

1607000

heap

page read and write

C8C000

stack

page read and write

35DB000

trusted library allocation

page read and write

313E000

stack

page read and write

There are 71 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&descriΡtion=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&descriΡtion=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
https://d22xf2qtjwaix4.cloudfront.net/fcs/configureHtml/share/facebook.php?title=Check+out+this+custom+Vans+shoe&image=http://goo.gl/Felnhz&descriΡtion=I+made+this+custom+Vans+Slip-On+shoe.&url=https://minbv.shop