The Curious Case of an Egg-Cellent Resume
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 73a9ba28-c526-4109-859f-fc2bad20576a |
| Fingerprint | a4aca7d529ac8483 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 2, 2024, 1:50 a.m. |
| Added to db | Dec. 2, 2024, 3:54 a.m. |
| Last updated | Dec. 18, 2024, 3:14 p.m. |
| Headline | The Curious Case of an Egg-Cellent Resume |
| Title | The Curious Case of an Egg-Cellent Resume |
| Detected Hints/Tags/Attributes | 178/3/174 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 249 | ✔ | The DFIR Report | https://thedfirreport.com/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 87 | cve-2023-27532 |
|
| Details | Domain | 33 | temp.sh |
|
| Details | Domain | 1 | shimkus.zip |
|
| Details | Domain | 2 | johnshimkus.com |
|
| Details | Domain | 33 | lolbas-project.github.io |
|
| Details | Domain | 2 | a92837f.johnshimkus.com |
|
| Details | Domain | 1 | cloudflared.zip |
|
| Details | Domain | 4335 | github.com |
|
| Details | Domain | 1 | scaner.zip |
|
| Details | Domain | 2 | pin.howasit.com |
|
| Details | Domain | 2 | shehasgone.com |
|
| Details | Domain | 97 | bing.com |
|
| Details | Domain | 1 | python-3.10.4-embed-amd64.zip |
|
| Details | Domain | 1 | cradle.py |
|
| Details | Domain | 1 | crade.py |
|
| Details | Domain | 2 | annetterawlings.com |
|
| Details | Domain | 2 | mitchellspearman.com |
|
| Details | Domain | 2 | mikedecook.com |
|
| Details | Domain | 2 | davidopkins.com |
|
| Details | Domain | 2 | markqualman.com |
|
| Details | Domain | 2 | julienolsson.com |
|
| Details | Domain | 2 | wlynch.com |
|
| Details | Domain | 4 | johncboins.com |
|
| Details | Domain | 2 | christianvelour.com |
|
| Details | Domain | 2 | lisasierra.com |
|
| Details | Domain | 2 | jacksallay.com |
|
| Details | File | 13 | ie4uinit.exe |
|
| Details | File | 24 | msxsl.exe |
|
| Details | File | 1 | shimkus.zip |
|
| Details | File | 14 | 2.jpg |
|
| Details | File | 2226 | cmd.exe |
|
| Details | File | 4 | ieuinit.inf |
|
| Details | File | 1 | fines%%.inf |
|
| Details | File | 23 | %windir%\system32\cmd.exe |
|
| Details | File | 1 | %windir%\system32\ie4uinit.exe |
|
| Details | File | 1 | %appdata%\microsoft\ie4uinit.exe |
|
| Details | File | 1 | 20350.dll |
|
| Details | File | 145 | wmiprvse.exe |
|
| Details | File | 1 | c:\programdata\microsoft\51d7701f6eb775c7.txt |
|
| Details | File | 1 | c:\programdata\microsoft\29d88f75006be8a.txt |
|
| Details | File | 1 | c:\programdata\microsoft\178f2e426.txt |
|
| Details | File | 1 | c:\programdata\microsoft\msxsl.exe |
|
| Details | File | 1 | 29d88f75006be8a.txt |
|
| Details | File | 11 | typeperf.exe |
|
| Details | File | 10 | 32.exe |
|
| Details | File | 474 | regsvr32.exe |
|
| Details | File | 1 | 178f2e426.txt |
|
| Details | File | 1 | cloudflared.zip |
|
| Details | File | 20 | webcachev01.dat |
|
| Details | File | 31 | c:\windows\system32\msiexec.exe |
|
| Details | File | 1 | c:\programdata\cloudflared\cloudflared-windows-amd64.msi |
|
| Details | File | 1 | cloudflared-windows-amd64.exe |
|
| Details | File | 3 | cloudflared.exe |
|
| Details | File | 267 | net.exe |
|
| Details | File | 14 | c:\windows\notepad.exe |
|
| Details | File | 396 | notepad.exe |
|
| Details | File | 3 | veeamhax.exe |
|
| Details | File | 37 | powershell_ise.exe |
|
| Details | File | 9 | veeam-get-creds.ps1 |
|
| Details | File | 1053 | rundll32.exe |
|
| Details | File | 419 | c:\windows\system32\cmd.exe |
|
| Details | File | 1 | %temp%\22041.txt |
|
| Details | File | 1 | %temp%\51362.txt |
|
| Details | File | 1 | %temp%\26906.txt |
|
| Details | File | 10 | c:\\windows\\system32\\rundll32.exe |
|
| Details | File | 1 | seatinfo.txt |
|
| Details | File | 1 | share.txt |
|
| Details | File | 4 | c:\programdata\shares.txt |
|
| Details | File | 2 | c:\programdata\seatinfo.txt |
|
| Details | File | 55 | adfind.exe |
|
| Details | File | 1 | c:\programdata\scaner.zip |
|
| Details | File | 1 | c:\programdata\scaner\scaner\netscan.exe |
|
| Details | File | 42 | netscan.exe |
|
| Details | File | 1 | c:\programdata\payload_cr1.dll |
|
| Details | File | 1 | lu.png |
|
| Details | File | 1 | 4-embed-amd64.zip |
|
| Details | File | 1 | c:\programdata\ssh\7za.exe |
|
| Details | File | 71 | python.exe |
|
| Details | File | 1 | cradle.py |
|
| Details | File | 1 | crade.py |
|
| Details | File | 1 | 'base-bof_nanodump.py |
|
| Details | File | 1 | cloudflared-windows-amd64.msi |
|
| Details | File | 1 | payload_cr1.dll |
|
| Details | File | 1 | shimkus.pdf |
|
| Details | File | 1 | 5477ca40.txt |
|
| Details | File | 1 | c:\programdata\microsoft\5477ca40.txt |
|
| Details | File | 1 | 2a2052faa08d525.txt |
|
| Details | File | 1 | c:\programdata\microsoft\2a2052faa08d525.txt |
|
| Details | File | 1 | 16304.dll |
|
| Details | File | 1 | c:\users\user\appdata\roaming\microsoft\16304.dll |
|
| Details | File | 1 | 495d3bb0fec9.txt |
|
| Details | File | 1 | c:\programdata\microsoft\495d3bb0fec9.txt |
|
| Details | File | 1 | 60052.txt |
|
| Details | File | 1 | c:\windows\temp\60052.txt |
|
| Details | File | 1 | c:\users\user\appdata\local\temp\48744.txt |
|
| Details | File | 8 | tar.exe |
|
| Details | File | 55 | nltest.exe |
|
| Details | File | 64 | whoami.exe |
|
| Details | Github username | 5 | sfewer-r7 |
|
| Details | Github username | 2 | sadshade |
|
| Details | Github username | 22 | the-dfir-report |
|
| Details | md5 | 1 | ddce269a1e3d054cae349621c198dd52 |
|
| Details | md5 | 28 | a0e9f5d64349fb13191bc781f81f42e1 |
|
| Details | md5 | 2 | d32d6a0ff9d52869cb6d4ab402b7306c |
|
| Details | md5 | 2 | 987ad23508239b58739279048cb850d5 |
|
| Details | md5 | 2 | 14c72c6c628104de0a93df124caa3e4a |
|
| Details | md5 | 2 | 6a0ddc6b06db8f7fef1e8934347d150d |
|
| Details | md5 | 2 | bace25f5a53a4e6cde31fe2ca2bc39a9 |
|
| Details | md5 | 2 | 6886f4cce4041cf27dff8e2ecfbfd38d |
|
| Details | md5 | 2 | 4fdbae9775a20dc33dec05e408c2a2ad |
|
| Details | sha1 | 2 | 62ea63b720556bda73eaf95be7a282193d19aa4d |
|
| Details | sha1 | 2 | 03bd5fa3fa4b06190b26762c4ea7b4e6ac615819 |
|
| Details | sha1 | 2 | 6a8fed99d66e84524fc75c7bfe003dea750dab11 |
|
| Details | sha1 | 2 | ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8 |
|
| Details | sha1 | 2 | b68eaed2a653ca79b8ef0b261eb4047ced6e16f4 |
|
| Details | sha1 | 2 | 3eaa51632f2beae23d9811b9ff91e31c91092177 |
|
| Details | sha256 | 2 | ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f |
|
| Details | sha256 | 2 | b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1 |
|
| Details | sha256 | 2 | 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f |
|
| Details | sha256 | 3 | aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d |
|
| Details | sha256 | 3 | 4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128 |
|
| Details | sha256 | 2 | 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608 |
|
| Details | sha256 | 2 | a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b |
|
| Details | sha256 | 3 | a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258 |
|
| Details | sha256 | 2 | 95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a |
|
| Details | sha256 | 2 | fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce |
|
| Details | sha256 | 2 | bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935 |
|
| Details | sha256 | 2 | 29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b |
|
| Details | sha256 | 2 | 757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0 |
|
| Details | sha256 | 2 | 6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67 |
|
| Details | sha256 | 2 | 228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532 |
|
| Details | sha256 | 2 | cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5 |
|
| Details | IPv4 | 2 | 108.174.197.15 |
|
| Details | IPv4 | 2 | 144.208.127.15 |
|
| Details | IPv4 | 2 | 109.104.152.24 |
|
| Details | IPv4 | 2 | 172.96.139.82 |
|
| Details | Mandiant Temporary Group Assumption | 19 | TEMP.SH |
|
| Details | MITRE ATT&CK Techniques | 31 | T1217 |
|
| Details | MITRE ATT&CK Techniques | 89 | T1136 |
|
| Details | MITRE ATT&CK Techniques | 175 | T1555 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1562.001 |
|
| Details | MITRE ATT&CK Techniques | 105 | T1087.002 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1069.002 |
|
| Details | MITRE ATT&CK Techniques | 126 | T1482 |
|
| Details | MITRE ATT&CK Techniques | 216 | T1068 |
|
| Details | MITRE ATT&CK Techniques | 600 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 308 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 508 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 73 | T1087.001 |
|
| Details | MITRE ATT&CK Techniques | 34 | T1069.001 |
|
| Details | MITRE ATT&CK Techniques | 178 | T1003.001 |
|
| Details | MITRE ATT&CK Techniques | 385 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 171 | T1046 |
|
| Details | MITRE ATT&CK Techniques | 186 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 435 | T1566 |
|
| Details | MITRE ATT&CK Techniques | 490 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 99 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 156 | T1090 |
|
| Details | MITRE ATT&CK Techniques | 62 | T1059.006 |
|
| Details | MITRE ATT&CK Techniques | 165 | T1021.001 |
|
| Details | MITRE ATT&CK Techniques | 246 | T1018 |
|
| Details | MITRE ATT&CK Techniques | 287 | T1053.005 |
|
| Details | MITRE ATT&CK Techniques | 146 | T1518.001 |
|
| Details | Pdb | 1 | e:\developer\yahtochka\2\cve-2023-27532\obj\release\veeamhax.pdb |
|
| Details | Pdb | 1 | seatbelt.pdb |
|
| Details | Pdb | 1 | c:\\users\\mmoser\\source\\repos\\sharpshares\\sharpshares\\obj\\release\\sharpshares.pdb |
|
| Details | Threat Actor Identifier - FIN | 81 | FIN6 |
|
| Details | Url | 1 | https://lolbas-project.github.io/lolbas/binaries/ie4uinit |
|
| Details | Url | 2 | http://a92837f.johnshimkus.com/setthevar |
|
| Details | Url | 1 | https://lolbas-project.github.io/lolbas/othermsbinaries/msxsl |
|
| Details | Url | 2 | https://github.com/sfewer-r7/cve-2023-27532 |
|
| Details | Url | 1 | https://github.com/sadshade/veeam-creds/blob/main/veeam-get-creds.ps1 |
|
| Details | Url | 1 | https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin |
|
| Details | Url | 1 | https://github.com/the-dfir-report/yara-rules/blob/main/27899/27899.yar |