ioc[.]one - OSINT Cyber Threat Intelligence Database

OODA: X-Ops Takes On Burgeoning SQL Server Attacks

Tags

country:	China
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Mshta - T1170 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	0838cc78-55de-42fa-acee-f2051d6815cb
Fingerprint	850088dba0338a09
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 20, 2022, 11 a.m.
Added to db	Oct. 24, 2023, 1:42 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	OODA: X-Ops Takes On Burgeoning SQL Server Attacks
Title	OODA: X-Ops Takes On Burgeoning SQL Server Attacks
Detected Hints/Tags/Attributes	76/3/62

Source URLs

	Redirection	Url
Details	Source	https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/

URL Provider

Details	Provider	Source level domain
Details	sophos.com	news.sophos.com

Attributes

Details	Type	#Events	Value
Details	CVE	7	cve-2019-1068
Details	CVE	24	cve-2020-0618
Details	Domain	339	system.net
Details	Domain	167	tutanota.com
Details	Domain	144	cock.li
Details	Domain	158	aol.com
Details	Email	2	mallox@tutanota.com
Details	Email	3	recohelper@cock.li
Details	Email	4	china.helper@aol.com
Details	File	409	c:\windows\system32\cmd.exe
Details	File	1	%temp%\update.ps1
Details	File	35	malware.exe
Details	File	1	9yfhr4sl.exe
Details	File	1	c:\windows\serviceprofiles\networkservice\appdata\local\temp\9yfhr4sl.exe
Details	File	1	lvmsrqz_phdvabki.jpg
Details	File	3	update.ps1
Details	File	1	m0qw5dj1.exe
Details	File	1	c:\windows\serviceprofiles\mssqlserver\appdata\local\temp\jbedw0vj.exe
Details	File	1	lhtot.exe
Details	File	1	%temp%\m0qw5dj1.exe
Details	File	1	arx-ikrbwika.exe
Details	File	1	vkda55h6.exe
Details	File	119	sqlservr.exe
Details	File	1	ukxamliyg.exe
Details	File	1	%temp%\9etvcrzf.exe
Details	File	1	c:\windows\serviceprofiles\networkservice\appdata\local\temp\c258see8.exe
Details	File	1	c258see8.exe
Details	File	14	c:\windows\system32\wbem\wmiprvse.exe
Details	File	92	c:\windows\system32\svchost.exe
Details	File	23	c:\windows\system32\services.exe
Details	File	6	c:\windows\system32\wininit.exe
Details	File	89	wininit.exe
Details	File	5	files.exe
Details	File	1	forma.xla
Details	File	2	4.7z
Details	File	172	dllhost.exe
Details	File	1	qui.xla
Details	File	1	impazienzia.xla
Details	File	1	potare.xla
Details	File	1	arrfqx.dll
Details	File	533	ntdll.dll
Details	File	1	riverdela.exe
Details	File	1	c:\windows\serviceprofiles\networkservice\appdata\local\temp\a0hnp5kn.exe
Details	File	1	chiamando.png
Details	File	1	doni.exe
Details	File	1	q:\factoryrecovery\how to back your files.exe
Details	File	1	g-865-nmsamgr.exe
Details	md5	1	572275BEEA6ECA3A6089848060C1A26D
Details	sha256	1	7d0687911ea9423310b7b83ebec9f52944ac022795c3b796aca5f0d2d15954b1
Details	sha256	1	8bb03cb1d5faf00b93612a10f24fb3afe025f59c0226a4b20b1a61fe06cd2077
Details	sha256	1	5d0e4ef9ee1f3a319faa45c572b5e7097865ddbda3840d138ae65a7d829cfddf
Details	IPv4	1	91.243.44.105
Details	IPv4	5	91.243.44.142
Details	IPv4	2	91.243.44.42
Details	IPv4	2	91.243.44.30
Details	Url	1	http://91.243.44.105/lvmsrqz_phdvabki.jpg
Details	Url	1	http://91.243.44.105/lhtot.exe”,”%temp%\m0qw5dj1.exe
Details	Url	1	http://91.243.44.142/arx-ikrbwika.exe”,”c:\users\mssql$~1\appdata\local\temp\vkda55h6.exe
Details	Url	1	http://91.243.44.142/pl-
Details	Url	1	http://91.243.44.42/g-865-nmsamgr.exe
Details	Url	1	http://91.243.44.30/g-865-nmsamgr.exe
Details	Windows Registry Key	2	HKEY_CURRENT_USER\Software\Remcos