ioc[.]one - OSINT Cyber Threat Intelligence Database

WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER

Tags

cmtmf-attack-pattern:

Command And Scripting Interpreter Compromise Accounts Masquerading System Network Connections Discovery

attack-pattern:

Data Direct Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Command And Scripting Interpreter - T1623 Compromise Accounts - T1586 Credentials - T1589.001 Email Accounts - T1585.002 Email Accounts - T1586.002 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Indicator Removal On Host - T1630 Lateral Tool Transfer - T1570 System Network Connections Discovery - T1421 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Process Discovery - T1424 Powershell - T1059.001 Reflective Code Loading - T1620 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Windows Command Shell - T1059.003 Web Shell - T1505.003 Tool - T1588.002 Account Discovery - T1087 Command-Line Interface - T1059 Credential Dumping - T1003 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Masquerading - T1036 Powershell - T1086 Process Discovery - T1057 System Network Connections Discovery - T1049 Windows Management Instrumentation - T1047 Web Shell - T1100 Indicator Removal On Host Masquerading

Show in Graph

Common Information

Type	Value
UUID	2aa21676-66d1-4df8-8ca7-1fea078e3f01
Fingerprint	b59039c62e34cc83
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 18, 2023, 3:33 p.m.
Added to db	Oct. 24, 2023, 1:38 p.m.
Last updated	Nov. 17, 2024, 11:40 p.m.
Headline	WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER
Title	WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER
Detected Hints/Tags/Attributes	108/2/77

Source URLs

	Redirection	Url
Details	Source	https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Details	Redirection	https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

URL Provider

Details	Provider	Source level domain
Details	gteltsc.vn	www.gteltsc.vn
Details	gteltsc.vn	gteltsc.vn

Attributes

Details	Type	#Events	Value
Details	Domain	4128	github.com
Details	Domain	10	httpbin.org
Details	Domain	2	gteltsc.vn
Details	File	16	autodiscover.json
Details	File	4	redirsuiteserviceproxy.aspx
Details	File	8	erroree.aspx
Details	File	226	certutil.exe
Details	File	4	themes.aspx
Details	File	3	drsdkcaller.exe
Details	File	2	c:\root\drsdkcaller.exe
Details	File	8	all.exe
Details	File	3	c:\users\public\all.exe
Details	File	3	dump.dll
Details	File	3	c:\users\public\dump.dll
Details	File	7	ad.exe
Details	File	2	c:\users\public\ad.exe
Details	File	2	gpg-error.exe
Details	File	2	c:\perflogs\gpg-error.exe
Details	File	3	cm.exe
Details	File	2	c:\perflogs\cm.exe
Details	File	96	rar.exe
Details	File	1	c:\perflogs\ folder is the standard windows command line tool cmd.exe
Details	File	17	dll.dll
Details	File	1122	svchost.exe
Details	File	2	c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\redirsuiteserviceproxy.aspx
Details	File	2	c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\erroree.aspx
Details	File	2	180000000.dll
Details	Github username	3	antoniococo
Details	Github username	1	ncsgroupvn
Details	sha256	2	be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Details	sha256	2	074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
Details	sha256	2	45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
Details	sha256	2	9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
Details	sha256	2	29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
Details	sha256	2	c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
Details	sha256	2	c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Details	sha256	2	65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Details	sha256	2	b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Details	sha256	2	76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
Details	IPv4	4	206.188.196.77
Details	IPv4	4	137.184.67.33
Details	IPv4	4	125.212.220.48
Details	IPv4	4	5.180.61.17
Details	IPv4	4	47.242.39.92
Details	IPv4	4	61.244.94.85
Details	IPv4	4	86.48.6.69
Details	IPv4	4	86.48.12.64
Details	IPv4	4	94.140.8.48
Details	IPv4	4	94.140.8.113
Details	IPv4	4	103.9.76.208
Details	IPv4	4	103.9.76.211
Details	IPv4	5	104.244.79.6
Details	IPv4	4	112.118.48.186
Details	IPv4	4	122.155.174.188
Details	IPv4	4	125.212.241.134
Details	IPv4	4	185.220.101.182
Details	IPv4	4	194.150.167.88
Details	IPv4	4	212.119.34.11
Details	MITRE ATT&CK Techniques	19	T1586.002
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	183	T1036.005
Details	MITRE ATT&CK Techniques	91	T1620
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	119	T1049
Details	MITRE ATT&CK Techniques	118	T1570
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	Url	1	https://github.com/antoniococo/sharpyshell
Details	Url	4	http://206.188.196.77:8080/themes.aspx
Details	Url	2	https://httpbin.org/get
Details	Url	1	https://github.com/ncsgroupvn/ncse0scanner
Details	Url	1	https://gteltsc.vn