5c30f03a491ee5bde61a0b419faed0e43179c8f5ce9940078fa3f02e55ac7978

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 05:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CVE-2023-23397/1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8_test - kopie.msg
Size

11KB
MD5

b6090ba7db8687637c09daeccb9cdd6a
SHA1

a1258a78a75423799e50e36237a75502a74ee11f
SHA256

1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8
SHA512

2430c37acd84d09b5e0236c49df9c3056c406f959070e9369435330c0b912f29779370af52f6d021b65f42fbd4d0e1d65e5bc7cc56affe84e93f7f2dcb2e6d29
SSDEEP

48:rDHLp557WiagDJ6Y/w1NzVgKkkQ2trw6qKtp4hxMdrA5zeR0+mkxObbiMT87urT+:7wY/w18Yasq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4672	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CVE-2023-23397\1e7767eaaa659a1ef8b8e00c0fbb94d0629016c6a92fa5ab1191b91ec83d19c8_test - kopie.msg"
1⤵
- Modifies registry class
PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4672

Network

DNS

97.97.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

50.4.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.4.107.13.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

154.25.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.25.221.88.in-addr.arpa

IN PTR

Response

154.25.221.88.in-addr.arpa

IN PTR

a88-221-25-154deploystaticakamaitechnologiescom
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

210.81.184.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.81.184.52.in-addr.arpa

IN PTR

Response
DNS

216.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.74.101.95.in-addr.arpa

IN PTR

Response

216.74.101.95.in-addr.arpa

IN PTR

a95-101-74-216deploystaticakamaitechnologiescom
DNS

216.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.74.101.95.in-addr.arpa

IN PTR

Response

216.74.101.95.in-addr.arpa

IN PTR

a95-101-74-216deploystaticakamaitechnologiescom

117.18.232.240:80

260 B
5
51.11.192.49:443

322 B
7
117.18.232.240:80

322 B
7
117.18.232.240:80

322 B
7
117.18.232.240:80

322 B
7
117.18.232.240:80

322 B
7
173.223.113.164:443

322 B
7

8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

50.4.107.13.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.4.107.13.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

154.25.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

154.25.221.88.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

210.81.184.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

210.81.184.52.in-addr.arpa
8.8.8.8:53

216.74.101.95.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

216.74.101.95.in-addr.arpa

DNS Request

216.74.101.95.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.