Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis
Tags
| country: | Netherlands United States Of America |
| attack-pattern: | Data Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Connection Proxy - T1090 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | ab074f2a-ee19-40c3-bd28-fc0a4ac826ba |
| Fingerprint | aed14053be6283d5 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 25, 2021, midnight |
| Added to db | Jan. 18, 2023, 8:36 p.m. |
| Last updated | Nov. 18, 2024, 1:38 a.m. |
| Headline | Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis |
| Title | Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis |
| Detected Hints/Tags/Attributes | 48/2/276 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 184 | cve-2021-26855 |
|
| Details | Domain | 9 | microsoft.exchange.management |
|
| Details | Domain | 150 | www.w3.org |
|
| Details | Domain | 73 | schemas.microsoft.com |
|
| Details | Domain | 32 | schemas.xmlsoap.org |
|
| Details | Domain | 339 | system.net |
|
| Details | Domain | 1 | outlooken.us |
|
| Details | 1 | admin@domain.tld |
||
| Details | File | 1 | j2r3.js |
|
| Details | File | 1 | test1337.aspx |
|
| Details | File | 1 | ssrf.js |
|
| Details | File | 17 | exchange.asmx |
|
| Details | File | 31 | schemas.xml |
|
| Details | File | 5 | run.ps1 |
|
| Details | File | 153 | config.json |
|
| Details | File | 1 | c:\temp\111\config.json |
|
| Details | File | 4 | javacpl.exe |
|
| Details | File | 1 | c:\temp\111\javacpl.exe |
|
| Details | File | 20 | winring0x64.sys |
|
| Details | File | 1 | c:\temp\111\winring0x64.sys |
|
| Details | File | 1209 | powershell.exe |
|
| Details | File | 3 | log.aspx |
|
| Details | File | 5 | outlooken.aspx |
|
| Details | File | 5 | httpproxy.aspx |
|
| Details | File | 6 | aspnet_client.aspx |
|
| Details | File | 6 | discover.aspx |
|
| Details | File | 3 | supp0rt.aspx |
|
| Details | File | 4 | aspnet_iisstart.aspx |
|
| Details | File | 1 | fexppw.aspx |
|
| Details | File | 2 | xclkmcfldfi948398430fdjkfdkj.aspx |
|
| Details | File | 2 | server.aspx |
|
| Details | File | 2 | 8lw7tahf9i1pjnro.aspx |
|
| Details | File | 2 | logg.aspx |
|
| Details | File | 4 | xx.aspx |
|
| Details | File | 3 | a.aspx |
|
| Details | File | 1 | errorfs.aspx |
|
| Details | File | 2 | errorpage.aspx |
|
| Details | File | 1 | getpp.aspx |
|
| Details | File | 2 | aspnet_pages.aspx |
|
| Details | File | 82 | default.aspx |
|
| Details | File | 2 | fatal-erro.aspx |
|
| Details | File | 2 | errorpages.aspx |
|
| Details | File | 2 | shel90.aspx |
|
| Details | File | 2 | err0r.aspx |
|
| Details | File | 14 | logout.aspx |
|
| Details | File | 1 | log3.aspx |
|
| Details | File | 1 | exchange_create_css.aspx |
|
| Details | File | 5 | redirsuiteserverproxy.aspx |
|
| Details | File | 1 | eror.aspx |
|
| Details | File | 1 | 0qwysexe.aspx |
|
| Details | File | 2 | one1.aspx |
|
| Details | File | 2 | session.aspx |
|
| Details | File | 2 | iispage.aspx |
|
| Details | File | 1 | logx2.aspx |
|
| Details | File | 1 | owafont_vo.aspx |
|
| Details | File | 1 | wlutyy.aspx |
|
| Details | File | 4 | aspnet_www.aspx |
|
| Details | File | 1 | hmask.aspx |
|
| Details | File | 1 | app222.aspx |
|
| Details | File | 1 | view_photos.aspx |
|
| Details | File | 1 | erroraa.aspx |
|
| Details | File | 4 | one.aspx |
|
| Details | File | 3 | errorcheck.aspx |
|
| Details | File | 1 | logfe.aspx |
|
| Details | File | 1 | zntwv.aspx |
|
| Details | File | 1 | owafont_vn.aspx |
|
| Details | File | 2 | shel.aspx |
|
| Details | File | 2 | shel2.aspx |
|
| Details | File | 2 | bob.aspx |
|
| Details | File | 2 | outlookzh.aspx |
|
| Details | File | 1 | daxlz.aspx |
|
| Details | File | 2 | authhead.aspx |
|
| Details | File | 1 | bg_gradient_login.aspx |
|
| Details | File | 2 | default1.aspx |
|
| Details | File | 17 | logon.aspx |
|
| Details | File | 3 | s.aspx |
|
| Details | File | 1 | 8auco9zk.aspx |
|
| Details | File | 2 | f48zhi6u.aspx |
|
| Details | File | 1 | e3mstjp8.aspx |
|
| Details | File | 2 | fc1b3wdp.aspx |
|
| Details | File | 2 | 2xjhwn19.aspx |
|
| Details | File | 1 | 0q1is7mn.aspx |
|
| Details | File | 20 | shell.aspx |
|
| Details | File | 1 | mcyhczdb.aspx |
|
| Details | File | 1 | sol.aspx |
|
| Details | File | 2 | aspnettest.aspx |
|
| Details | File | 1 | error_page.aspx |
|
| Details | File | 8 | error.aspx |
|
| Details | File | 2 | uwspmsfi.aspx |
|
| Details | File | 70 | web.config |
|
| Details | File | 2 | shellex.aspx |
|
| Details | File | 1 | uhsptwmg.aspx |
|
| Details | File | 8 | help.aspx |
|
| Details | File | 3 | load.aspx |
|
| Details | File | 1 | zxkzu6bn.aspx |
|
| Details | File | 1 | ogu7zfil.aspx |
|
| Details | File | 4 | web.aspx |
|
| Details | File | 4 | erroreee.aspx |
|
| Details | File | 1 | 27fib.aspx |
|
| Details | File | 8 | erroree.aspx |
|
| Details | File | 1 | b.aspx |
|
| Details | File | 4 | healthcheck.aspx |
|
| Details | File | 3 | t.aspx |
|
| Details | File | 2 | wanlin.aspx |
|
| Details | File | 7 | errorff.aspx |
|
| Details | File | 2 | test.aspx |
|
| Details | File | 5 | document.aspx |
|
| Details | File | 1 | evilcorp.aspx |
|
| Details | File | 1 | errorfe.aspx |
|
| Details | File | 4 | errorew.aspx |
|
| Details | File | 1 | outlookda.aspx |
|
| Details | File | 1 | outlookfr.aspx |
|
| Details | File | 1 | outlookit.aspx |
|
| Details | File | 1 | outlookde.aspx |
|
| Details | File | 1 | outlookes.aspx |
|
| Details | File | 2 | expiredpassword.aspx |
|
| Details | File | 1 | outlookpl.aspx |
|
| Details | File | 1 | outlookar.aspx |
|
| Details | File | 1 | outlookse.aspx |
|
| Details | File | 8 | logoff.aspx |
|
| Details | File | 1 | outlookas.aspx |
|
| Details | File | 1 | outlookio.aspx |
|
| Details | File | 3 | outlookcn.aspx |
|
| Details | File | 1 | service.aspx |
|
| Details | File | 1 | 1d.aspx |
|
| Details | File | 1 | metabase.aspx |
|
| Details | File | 1 | 7kmcs.aspx |
|
| Details | File | 3 | config.aspx |
|
| Details | File | 1 | cafzcu.aspx |
|
| Details | File | 1 | malrenavuy.aspx |
|
| Details | File | 1 | ahihi.aspx |
|
| Details | File | 1 | aa.aspx |
|
| Details | File | 1 | aspnet_iistart.aspx |
|
| Details | File | 1 | configs.aspx |
|
| Details | File | 2 | aspnet.aspx |
|
| Details | File | 1 | aspx_client.aspx |
|
| Details | File | 2 | error404.aspx |
|
| Details | File | 2 | client.aspx |
|
| Details | File | 1 | seclogon.aspx |
|
| Details | File | 1 | upnews.aspx |
|
| Details | File | 1 | system_io.aspx |
|
| Details | File | 1 | errorpe.aspx |
|
| Details | File | 1 | y3igh.aspx |
|
| Details | File | 1 | amnbjlxqohtv.aspx |
|
| Details | File | 1 | outlookqn.aspx |
|
| Details | File | 1 | view_tools.aspx |
|
| Details | File | 1 | 6gixzg.aspx |
|
| Details | File | 1 | ogzsis0l.aspx |
|
| Details | File | 1 | ignrop.aspx |
|
| Details | File | 1 | hmknq.aspx |
|
| Details | File | 1 | self.aspx |
|
| Details | File | 1 | desktopshellext.aspx |
|
| Details | File | 1 | 9vkfwtxt.aspx |
|
| Details | File | 1 | sohky.aspx |
|
| Details | File | 1 | rlvgk.aspx |
|
| Details | File | 1 | logerr.aspx |
|
| Details | File | 1 | pzbwl.aspx |
|
| Details | File | 2 | owaauth.aspx |
|
| Details | File | 1 | est11.aspx |
|
| Details | File | 2 | layout.aspx |
|
| Details | File | 1 | commonerror.aspx |
|
| Details | File | 1 | config1.aspx |
|
| Details | File | 1 | errordef.aspx |
|
| Details | File | 1 | iasads.aspx |
|
| Details | File | 1 | office365_ph.aspx |
|
| Details | File | 1 | 061a06908b.aspx |
|
| Details | File | 1 | zjbxcboi.aspx |
|
| Details | File | 1 | rwinsta.aspx |
|
| Details | File | 1 | erroreww.aspx |
|
| Details | File | 1 | temp.aspx |
|
| Details | File | 1 | frow.aspx |
|
| Details | File | 1 | test007.aspx |
|
| Details | File | 1 | fhsvc.aspx |
|
| Details | File | 1 | zeeomtdycx.aspx |
|
| Details | File | 1 | secauth.aspx |
|
| Details | File | 1 | exchanges.aspx |
|
| Details | File | 1 | atlthunk.aspx |
|
| Details | File | 1 | voqbetdoni.aspx |
|
| Details | File | 1 | secauth1.aspx |
|
| Details | File | 4 | online.aspx |
|
| Details | File | 1 | proximityservice.aspx |
|
| Details | File | 1 | outlookfront.aspx |
|
| Details | File | 1 | proxylogon.aspx |
|
| Details | File | 1 | ovfwhwjwwm.aspx |
|
| Details | File | 1 | qnx.aspx |
|
| Details | File | 1 | plorion.aspx |
|
| Details | File | 1 | uyqitybpew.aspx |
|
| Details | File | 5 | outlookru.aspx |
|
| Details | File | 1 | show.aspx |
|
| Details | File | 1 | errorfff.aspx |
|
| Details | File | 1 | kbdbene.aspx |
|
| Details | File | 2 | outlookus.aspx |
|
| Details | File | 1 | system.aspx |
|
| Details | File | 20 | login.aspx |
|
| Details | File | 1 | letmeinplzs.aspx |
|
| Details | File | 1 | jhj2zt9ouofp6vnbchg3.aspx |
|
| Details | File | 2 | signon.aspx |
|
| Details | File | 1 | ntprint.aspx |
|
| Details | File | 1 | m0xbqrg1ranzvgd3jixt.aspx |
|
| Details | File | 1 | qfmrucnzl.aspx |
|
| Details | File | 1 | xblgamesave.aspx |
|
| Details | File | 3 | outlookdn.aspx |
|
| Details | File | 1 | obq.aspx |
|
| Details | File | 1 | logaaa.aspx |
|
| Details | File | 5 | outlookjp.aspx |
|
| Details | File | 1 | jobjifr92erlmg1hcnf3.aspx |
|
| Details | File | 1 | hujwperocy7fo4g8eth3.aspx |
|
| Details | File | 1 | support.aspx |
|
| Details | File | 1 | hcdknzboha.aspx |
|
| Details | File | 5 | multiup.aspx |
|
| Details | File | 1 | fr5ha0d1dwfsqiumhlcq.aspx |
|
| Details | File | 1 | huupitrnpxvi.aspx |
|
| Details | File | 1 | dbuj9.aspx |
|
| Details | File | 1 | l2oxwtljs3gnmyhqv0kr.aspx |
|
| Details | File | 1 | xboxnetapisvc.aspx |
|
| Details | File | 1 | us.aspx |
|
| Details | File | 1 | krhhydpwb70ct362jmln.aspx |
|
| Details | File | 1 | outlookun.aspx |
|
| Details | File | 1 | aaa.aspx |
|
| Details | File | 1 | shelltest.aspx |
|
| Details | File | 1 | tst1.aspx |
|
| Details | File | 1 | tpmvscmgrsvr.aspx |
|
| Details | File | 1 | vqeualjkpcwonc7ypmlz.aspx |
|
| Details | File | 1 | asas.aspx |
|
| Details | File | 1 | tnlpge.aspx |
|
| Details | File | 3 | timeoutlogout.aspx |
|
| Details | File | 1 | zi3umczmpa5bwtyvpkse.aspx |
|
| Details | File | 1 | test13037.aspx |
|
| Details | File | 4 | signout.aspx |
|
| Details | File | 1 | theme-gsx8ujzpicf0.aspx |
|
| Details | File | 1 | theme-vten8snn874b.aspx |
|
| Details | File | 1 | qbfjm1sc.aspx |
|
| Details | File | 1 | iowym7c4.aspx |
|
| Details | File | 1 | e12b65rm.aspx |
|
| Details | File | 1 | vy4qlepg.aspx |
|
| Details | File | 1 | 3ue5mycq.aspx |
|
| Details | File | 1 | sj0f8qht.aspx |
|
| Details | File | 1 | cmvbghlz.aspx |
|
| Details | File | 1 | wfk2or3y.aspx |
|
| Details | File | 1 | gncwadkh.aspx |
|
| Details | File | 1 | rabiitch.aspx |
|
| Details | File | 1 | cs64lbpk.aspx |
|
| Details | File | 1 | wmspdmod.aspx |
|
| Details | File | 1 | 2tfgnswo.aspx |
|
| Details | File | 1 | checkerror635284.aspx |
|
| Details | File | 1 | 3nhhpxj5.aspx |
|
| Details | File | 1 | 1a2zeqou.aspx |
|
| Details | File | 1 | lgnleft.aspx |
|
| Details | File | 1 | 1d61acae91.aspx |
|
| Details | File | 9 | iisstart.aspx |
|
| Details | File | 1 | lo.aspx |
|
| Details | File | 1 | mini-reverse.ps1 |
|
| Details | md5 | 1 | 79e2c9953f452f777d55749f01e5f3b7 |
|
| Details | md5 | 1 | 2d4d75e46f6de65fba2451da71686322 |
|
| Details | md5 | 1 | 0fe28f557e9997cd2750ff3fa86a659e |
|
| Details | md5 | 1 | 67f2d42e30f6239114feafc9ffd009d8 |
|
| Details | md5 | 3 | 0c0195c48b6b8582fa6f6373032118da |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 1 | 178.62.226.184 |
|
| Details | IPv4 | 1 | 159.89.95.163 |
|
| Details | IPv4 | 1 | 157.245.47.214 |
|
| Details | IPv4 | 1 | 159.65.206.137 |
|
| Details | Mandiant Temporary Group Assumption | 1 | TEMP.ASPX |
|
| Details | Url | 50 | http://www.w3.org/2001/xmlschema-instance |
|
| Details | Url | 3 | http://schemas.microsoft.com/exchange/services/2006/messages |
|
| Details | Url | 2 | http://schemas.microsoft.com/exchange/services/2006/types |
|
| Details | Url | 24 | http://schemas.xmlsoap.org/soap/envelope |
|
| Details | Url | 1 | http://178.62.226.184/run.ps1)").stdout.readall |
|
| Details | Url | 1 | http://178.62.226.184/run.ps1 |
|
| Details | Url | 1 | http://178.62.226.184/config.json","c:\temp\111\config.json |
|
| Details | Url | 1 | http://178.62.226.184/javacpl.exe","c:\temp\111\javacpl.exe |
|
| Details | Url | 1 | http://178.62.226.184/winring0x64.sys","c:\temp\111\winring0x64.sys |
|
| Details | Url | 1 | http://178.62.226.184/mini-reverse.ps1 |
|
| Details | Url | 1 | http://178.62.226.184/config.json |
|
| Details | Url | 1 | http://178.62.226.184/javacpl.exe |
|
| Details | Url | 1 | http://178.62.226.184/winring0x64.sys |