cb4fe6a46082486c1e1c80a6ba56d50933a378b263a3eea386e6f892829329de

Analysis

max time kernel
315s
max time network
1593s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/09/2024, 11:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

applist.fatih
Size

194B
MD5

670417a5203a2d09d10d6fe69172500d
SHA1

121b7f1d02197508adb79c270d7fdbb263735f85
SHA256

bed4a15e52065fede5b3966ad12a238c76d99acbb38cae33ae97f584730c8beb
SHA512

756e9b7fa010eaf57b5d883bb9cfa6d3eaca0c552f1cd48612a0316e835bc5b197da9242006b5e43e51eeb83f751c3643aa111e8818c273c2d0c4f3c74803a0f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2460	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\applist.fatih
1⤵
- Modifies registry class
PID:3692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2460

Network

DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

23.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.173.189.20.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

167.205.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.205.23.2.in-addr.arpa

IN PTR

Response

167.205.23.2.in-addr.arpa

IN PTR

a2-23-205-167deploystaticakamaitechnologiescom

52.111.227.11:443

322 B
7

8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

23.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.173.189.20.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

167.205.23.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

167.205.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.