旺刺组织(APT-C-47)使用ClickOnce技术的攻击活动披露
Tags
| attack-pattern: | Rundll32 - T1218.011 Rundll32 - T1085 |
Common Information
| Type | Value |
|---|---|
| UUID | 171058fe-92a3-4620-b196-b8dfa76ec687 |
| Fingerprint | 70343c1086c58353 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 21, 2022, midnight |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | 旺刺组织(APT-C-47)使用ClickOnce技术的攻击活动披露 |
| Title | 旺刺组织(APT-C-47)使用ClickOnce技术的攻击活动披露 |
| Detected Hints/Tags/Attributes | 10/1/60 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/h_MUJfa3QGM9SqT_kzcdHQ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 6 | ce.com |
|
| Details | Domain | 1 | com.cn.plugin-verification.com |
|
| Details | Domain | 1 | attachment-download.services.enc2global.com |
|
| Details | Domain | 2 | service.com |
|
| Details | Domain | 1 | test.enc2global.com |
|
| Details | Domain | 1 | authentication-services.zzux.com |
|
| Details | Domain | 1 | email-smtp-protocol-update-notification.safetymodule-check.com |
|
| Details | File | 1 | 加载执行banner_m.jpg |
|
| Details | File | 1 | 加载配置文件res.jpg |
|
| Details | File | 1 | 加载执行banner_0.jpg |
|
| Details | File | 1 | 在其伪装的计算器dotproduct类的calc方法中读取恶意荷载banner_m.jpg |
|
| Details | File | 1 | 该程序加载并解密res.jpg |
|
| Details | File | 1 | 解密加载banner_0.jpg |
|
| Details | File | 1 | banner_1.jpg |
|
| Details | File | 1 | 构造wmtemp.log |
|
| Details | File | 1 | banner_1_1.jpg |
|
| Details | File | 1 | 被加载的黑文件根据wmtemp.log |
|
| Details | File | 1 | banner_2.jpg |
|
| Details | File | 1 | 释放rv.dll |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 1 | %temp%\rv.dll |
|
| Details | File | 1 | banner_3.jpg |
|
| Details | File | 1 | 使用reg命令导入drg2856.tmp |
|
| Details | File | 1 | 另外banner_n.jpg |
|
| Details | File | 1 | %temp%\wmtemp.log |
|
| Details | File | 1 | 攻击者利用白程序启动时会加载msftedit.dll |
|
| Details | File | 1 | %temp%\wmtemp\目录下的msftedit.dll |
|
| Details | File | 1 | cn.pl |
|
| Details | File | 1 | email-smtp-protocol-update-notification.safe |
|
| Details | md5 | 1 | 8ad47895f3af1f06d894e5383c4c4680 |
|
| Details | md5 | 1 | c0ee329f276b01d8aeb908bead365aea |
|
| Details | md5 | 1 | f0dd637b1f0a9005c4b30245e0e7e1ad |
|
| Details | md5 | 1 | 5011d65eeebe3eedf4b3f64dabc88e8c |
|
| Details | md5 | 1 | 366da9737c0db351ca889e2bc8dc1981 |
|
| Details | md5 | 1 | f6cf5f915fc6506c3ddad7c7f10854c4 |
|
| Details | md5 | 1 | 445216627ff9280f3294d8bd3d85b560 |
|
| Details | md5 | 1 | fcc4682029a27ba7a6ff9d795bdfd415 |
|
| Details | md5 | 1 | c6dd8052335e00c111526b7095cab52c |
|
| Details | md5 | 1 | d692b8ea9485aa0205ed83cd3140b05e |
|
| Details | md5 | 1 | 9B58A9C1C396DAAFF4D8868DC49455E3 |
|
| Details | md5 | 1 | 68F07080F3B0B4729BD220E10416A51C |
|
| Details | md5 | 1 | 9C0CE7D503159C0B0C06110E875C25D6 |
|
| Details | md5 | 1 | 79066365563368F379CA1A45168F9ACA |
|
| Details | md5 | 1 | 306B61A40E9051629343EEF3C69BC479 |
|
| Details | md5 | 1 | EEF1F260153D0D6573D782808754BC28 |
|
| Details | md5 | 1 | 6F49F302169F391A0B614AF0FCADCB98 |
|
| Details | md5 | 1 | A8810EB38C46A8C4EEE9ABC1C5A5AFBE |
|
| Details | md5 | 1 | 11128a3c4c7e7aa47349a788d41cee4d |
|
| Details | md5 | 1 | 587b6fe405816d2d3b555fcbbe17a69a |
|
| Details | md5 | 1 | cb4e79b6f191d0c8cb38ff91b049796f |
|
| Details | md5 | 1 | 64763f03e581510ca42fb420b71d2458 |
|
| Details | md5 | 1 | cac963f48aa812e900672b0ad1d1db4d |
|
| Details | md5 | 1 | 80cac47d7b6fa68c36b59c818ed2e35a |
|
| Details | md5 | 1 | f4522f6486a90af0c960d86a9a5734ca |
|
| Details | sha256 | 1 | 148780657362178fd5add0cfb99eff8bc68c72ee0b438e64edf643eb2592d7bb |
|
| Details | IPv4 | 4 | 91.235.116.232 |
|
| Details | IPv4 | 1 | 45.64.186.78 |
|
| Details | IPv4 | 1 | 45.64.186.159 |
|
| Details | IPv4 | 1 | 122.155.3.201 |
|
| Details | Threat Actor Identifier - APT-C | 3 | APT-C-47 |