2f79a30540e3f31d86819c9fbf4d4f3a91d5d83ae07bcda94b1388818aebc933

Analysis

max time kernel
496s
max time network
1586s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05/07/2024, 08:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heaven's Exploits/Solara/workspace/IY_FE.iy
Size

662B
MD5

24c8be244b2dbd69555f27437a7fa3c1
SHA1

4da122e8a1c06e1e490230c7c88a7457f0958c9d
SHA256

46fb07ba8a7a0d02bd1fb74bff1c5617416e60e7cde6a20b42c9fe49859b0b41
SHA512

2c3fdd5f9af0d7c4b35cad5f6b905c361a08d1ef629fda6b6bd6f92d2901ddff4ac9839574461d581275e53e7f9ccfe8dfd7cb2ba88946a92d264b25d5e65618

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4360	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Heaven's Exploits\Solara\workspace\IY_FE.iy"
1⤵
- Modifies registry class
PID:380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4360

Network

DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

50.192.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.192.11.51.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

43.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.56.20.217.in-addr.arpa

IN PTR

Response
DNS

57.110.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.110.18.2.in-addr.arpa

IN PTR

Response

57.110.18.2.in-addr.arpa

IN PTR

a2-18-110-57deploystaticakamaitechnologiescom

52.142.223.178:80

46 B
1

8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

50.192.11.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

50.192.11.51.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

43.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

43.56.20.217.in-addr.arpa
8.8.8.8:53

57.110.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

57.110.18.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.