UN GROUPE CYBERCRIMINEL AUX MULTIPLES RANÇONGICIELS
Show in Graph
Image Description
Common Information
Type Value
UUID d4f161e2-684f-424b-be3d-69be0f322531
Fingerprint 5c096d6ee257d5dbd18bb63f78aa471a683d5cc2fc4fc147b26081905d6973fc
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 12, 2023, 10:35 a.m.
Added to db March 10, 2024, 3:23 a.m.
Last updated Aug. 30, 2024, 10:34 p.m.
Headline UN GROUPE CYBERCRIMINEL AUX MULTIPLES RANÇONGICIELS
Title UN GROUPE CYBERCRIMINEL AUX MULTIPLES RANÇONGICIELS
Detected Hints/Tags/Attributes 144/3/142
Source URLs
Redirection Url
Details Source https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf
URL Provider
Details Provider Source level domain
Details ssi.gouv.fr www.cert.ssi.gouv.fr
Attributes
Details Type #Events CTI Value
Details CVE 6 
cve-2023-21746
Details CVE 38 
cve-2022-24521
Details CVE 91 
cve-2021-34527
Details CVE 197 
cve-2019-0708
Details CVE 217 
cve-2020-1472
Details CVE 50 
cve-2022-41080
Details CVE 127 
cve-2022-41082
Details CVE 65 
cve-2021-1675
Details Domain 1 
youthconscience.com
Details Domain 2 
tumbleproperty.com
Details Domain 1 
texasflooddesign.com
Details Domain 1 
performernews.com
Details Domain 1 
getinteriorartstudio.com
Details Domain 1 
tributepower.com
Details Domain 1 
realversedesign.com
Details Domain 1 
purpleinfluenceonline.com
Details Domain 1 
herbswallow.com
Details Domain 1 
psychologymax.com
Details Domain 1 
jacketsupport.com
Details Domain 1 
mirrordirectory.com
Details Domain 4127 
github.com
Details Domain 2 
secjoes-reports.s3.eu-central-1.amazonaws.com
Details Domain 1 
sploitus.com
Details Domain 167 
www.ic3.gov
Details Domain 1373 
twitter.com
Details Domain 469 
www.cisa.gov
Details Domain 207 
learn.microsoft.com
Details Domain 182 
www.mandiant.com
Details Domain 123 
www.reuters.com
Details Domain 397 
www.microsoft.com
Details Domain 99 
therecord.media
Details Domain 29 
www.trellix.com
Details Domain 105 
web.archive.org
Details Domain 6 
www.advintel.io
Details Domain 4 
blog.bushidotoken.net
Details Domain 604 
www.trendmicro.com
Details Domain 4 
cert.ssi.gouv.fr
Details Domain 14 
ssi.gouv.fr
Details Email 2 
cert-fr@ssi.gouv.fr
Details File 4 
host.dll
Details File 1 
b64.exe
Details File 1 
cleanlpe1day.exe
Details File 3 
localpotato.exe
Details File 1 
lpe.exe
Details File 1122 
svchost.exe
Details File 1 
sharproast.exe
Details File 40 
netscan.exe
Details File 2 
pingcastle.exe
Details File 1 
pingcastleautoupdater.exe
Details File 2 
lpe-exploit-runasuser.bat
Details File 1 
step1-runasadmin.bat
Details File 1 
step2-runasuser.bat
Details File 2 
spn.exe
Details File 1 
spn_nf3.exe
Details File 4 
spider.dll
Details File 2 
spider_32.dll
Details File 1 
creshar.exe
Details File 1 
makemegood.bat
Details File 1 
bks.exe
Details File 24 
xxx.exe
Details File 1 
passwordar.txt
Details File 1 
%windir%\syswow64\locator.exe
Details File 1 
%windir%\sysnative\w32tm.exe
Details File 1 
sockbot%2bin%2bgoland.pdf
Details File 4 
220420.pdf
Details File 2 
fin12-group-profile.pdf
Details File 1 
the-panama-papers-of-ransomware.html
Details File 1 
the-continuity-of-conti.html
Details File 1 
resurfaces-as-royal-ransomware-wit.html
Details File 1 
to-hive-.html
Details File 1 
unmasks-it-as-another-hive-aff.html
Details Github username 3 
decoder-it
Details Github username 29 
gentilkiwi
Details Github username 18 
ghostpack
Details Github username 9 
threatexpress
Details Github username 1 
theparmak
Details md5 1 
32f7e0b84b76a8f8ec0069e2188475e5
Details sha1 1 
8a0743f17110dc945007f08f3e63da166a3937dc
Details sha1 1 
9e2737994aa8bf0d6900e5369d51978adc4c02f9
Details sha1 1 
364a4d9ea6f88eec098b13728fce2c1ead94c48d
Details sha1 1 
8291929d6f3ede6ec025c21d1559a7fe9d30a9ce
Details sha1 1 
70ad1a42ce05404c00513989c949c83a94feca92
Details sha1 1 
28400c267815762e49c200e8b481a592c67f9cf7
Details sha1 1 
d65969088eb8f6098c33c5427a650e8576cdbfa6
Details sha1 1 
eeaf29a71330db50cdd4630f8d9f1c2b6a34578c
Details sha1 1 
292629c6ab33bddf123d26328025e2d157d9e8fc
Details sha1 1 
536734aa6ec0f0b1ba8e43088edc6857eca42667
Details sha1 1 
e2a68116d52182f207c087f349e04e049982d431
Details sha1 1 
fae6068d4433b33751bf7de866d7f2900aa15139
Details sha1 1 
d69420a636dacfbafaf01f7153692c197e9b6400
Details sha1 1 
68a07540fbf58fe743636b7fc8f0370c84134eb3
Details sha1 1 
58cb839dbc0232874b6fed9a354d4cc6d355cbac
Details sha1 1 
1e0ec6994400413c7899cd5c59bdbd6397dea7b5
Details sha1 1 
35ff55bcf493e1b936dc6e978a981ee2a75543a1
Details sha1 1 
a00ebf699ea0759e7bf4af65dddd741133c38484
Details sha1 1 
df12386df2c0fcf65522282914424d63da962d79
Details IPv4 1 
149.28.197.120
Details IPv4 1 
149.28.213.157
Details IPv4 1 
2.11.0.1
Details IPv4 1 
96.30.196.207
Details IPv4 1 
45.32.132.182
Details Mandiant Uncategorized Groups 27 
UNC1878
Details MITRE ATT&CK Techniques 59 
T1588.002
Details MITRE ATT&CK Techniques 32 
T1583.004
Details MITRE ATT&CK Techniques 191 
T1133
Details MITRE ATT&CK Techniques 71 
T1078.002
Details MITRE ATT&CK Techniques 51 
T1136.001
Details MITRE ATT&CK Techniques 208 
T1068
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 49 
T1110.003
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 36 
T1558.003
Details MITRE ATT&CK Techniques 168 
T1046
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 109 
T1210
Details MITRE ATT&CK Techniques 14 
T1090.004
Details MITRE ATT&CK Techniques 95 
T1572
Details Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development) 11 
DEV-0237
Details Threat Actor Identifier - FIN 42 
FIN12
Details Url 1 
https://github.com/decoder-it/localpotato.
Details Url 1 
https://secjoes-reports.s3.eu-central-1.amazonaws.com/sockbot%2bin%2bgoland.pdf
Details Url 5 
https://github.com/gentilkiwi/mimikatz.
Details Url 1 
https://github.com/ghostpack/sharproast.
Details Url 1 
https://sploitus.com/exploit?id=86f04665
Details Url 4 
https://www.ic3.gov/media/news/2022/220420.pdf
Details Url 1 
https://github.com/threatexpress/random_c2_profile.
Details Url 1 
https://twitter.com/cryptolaemus1/status/1502069552246575105.
Details Url 3 
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a.
Details Url 1 
https://learn.microsoft.com/fr-fr/microsoft-365/security/intelligence/microsoft-
Details Url 2 
https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf
Details Url 1 
https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-pursuing-
Details Url 1 
https://www.reuters.com/article/us-usa-healthcare-cyber-iduskbn27d35u.
Details Url 3 
https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-
Details Url 1 
https://therecord.media/disgruntled-
Details Url 1 
https://www.trellix.com/en-gb/about/newsroom/stories/research/conti-leaks-examining-
Details Url 1 
http://web.archive.org/web/20230208190313/https://www.advintel.io/post/anatomy-of-
Details Url 1 
https://github.com/theparmak/conti-leaks-englished.
Details Url 1 
https://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html
Details Url 1 
https://www.trendmicro.com/en_us/research/22/l/conti-
Details Url 2 
https://twitter.com/vk_intel/status/1557003350541242369.
Details Url 1 
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-
Details Url 1 
https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-