암호화된 APT 공격, Kimsuky 조직의 '스모크 스크린' PART 2
Tags
| country: | Albania |
| attack-pattern: | Mshta - T1218.005 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Mshta - T1170 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 1268b8b1-c2b5-43ba-916a-ca39de1d2871 |
| Fingerprint | 990e5904b191525c |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | May 13, 2019, 5:34 p.m. |
| Added to db | Jan. 30, 2023, 4:32 p.m. |
| Last updated | Nov. 18, 2024, 1:38 a.m. |
| Headline | |
| Title | 암호화된 APT 공격, Kimsuky 조직의 '스모크 스크린' PART 2 |
| Detected Hints/Tags/Attributes | 28/2/33 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://blog.alyac.co.kr/2299 |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 3 | bit-albania.com |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 13 | wshell.run |
|
| Details | Domain | 1 | a2khs.mireene.co.kr |
|
| Details | Domain | 6 | post0.open |
|
| Details | File | 5 | 'expres.php |
|
| Details | File | 1 | 'pwzpz.js |
|
| Details | File | 1 | 'nqtas.vbs |
|
| Details | File | 1 | 'tmp.bat |
|
| Details | File | 2127 | cmd.exe |
|
| Details | File | 14 | tmp.bat |
|
| Details | File | 1209 | powershell.exe |
|
| Details | File | 456 | mshta.exe |
|
| Details | File | 2 | %appdata%\tmp.bat |
|
| Details | File | 1 | 'cow.gif |
|
| Details | File | 3 | 'exe.gif |
|
| Details | File | 5 | cow.gif |
|
| Details | File | 6 | exe.gif |
|
| Details | File | 1 | l:\temp_work\vc_work\rrrr_dllload.dll |
|
| Details | File | 1 | 'server.dll |
|
| Details | File | 1 | 'keylogger1.ps1 |
|
| Details | md5 | 1 | 0e595fb4462e99f392d441d960f8bc93 |
|
| Details | md5 | 1 | d264875dab332d3475b99461310d7fff |
|
| Details | IPv4 | 3 | 173.248.170.149 |
|
| Details | Pdb | 1 | rrrr.pdb |
|
| Details | Url | 1 | https://bit-albania.com/sekretar_bit_shkurt2019/webs/rez/us/ahfzo0.hta |
|
| Details | Url | 1 | https://bit-albania.com/sekretar_bit_shkurt2019/webs/rez/us/ahfzo.hta |
|
| Details | Url | 1 | http://a2khs.mireene.co.kr/plugin/sms5/skin/basic/nodejs/first.hta |
|
| Details | Url | 1 | http://a2khs.mireene.co.kr/plugin/sms5/skin/basic/nodejs/expres.php?op=1 |
|
| Details | Windows Registry Key | 4 | HKEY_CURRENT_USER\Software\Microsoft\Command |
|
| Details | Windows Registry Key | 3 | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security |
|
| Details | Windows Registry Key | 3 | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security |
|
| Details | Windows Registry Key | 3 | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security |