A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity | WeLiveSecurity
Tags
cmtmf-attack-pattern: Application Layer Protocol Develop Capabilities Exploit Public-Facing Application Masquerading Obfuscated Files Or Information Obtain Capabilities Process Injection Scheduled Task/Job
country: China France India Israel Japan Taiwan
maec-delivery-vectors: Watering Hole
attack-pattern: Data Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Custom Method - T1560.003 Archive Via Library - T1560.002 Audio Capture - T1429 Clipboard Data - T1414 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Component Object Model - T1559.001 Create Or Modify System Process - T1543 Create Process With Token - T1134.002 Data From Local System - T1533 Develop Capabilities - T1587 Dll Side-Loading - T1574.002 Dynamic-Link Library Injection - T1055.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exploit Public-Facing Application - T1377 Exploitation For Client Execution - T1658 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hardware - T1592.001 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Input Capture - T1417 Inter-Process Communication - T1559 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 Local Data Staging - T1074.001 System Network Configuration Discovery - T1422 Malware - T1587.001 Malware - T1588.001 Masquerade Task Or Service - T1036.004 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 Msbuild - T1127.001 Native Api - T1575 Non-Standard Encoding - T1132.002 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Process Hollowing - T1055.012 Process Injection - T1631 Python - T1059.006 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Sharepoint - T1213.002 Software - T1592.002 Software Discovery - T1518 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Shutdown/Reboot - T1529 Thread Execution Hijacking - T1055.003 Timestomp - T1070.006 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Web Shell - T1505.003 Video Capture - T1512 Windows Service - T1543.003 Tool - T1588.002 Vulnerabilities - T1588.006 Virtualization/Sandbox Evasion - T1633 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Application Window Discovery - T1010 Audio Capture - T1123 Automated Collection - T1119 Clipboard Data - T1115 Connection Proxy - T1090 Data Encoding - T1132 Data From Local System - T1005 Data From Removable Media - T1025 Data Staged - T1074 Data Transfer Size Limits - T1030 Deobfuscate/Decode Files Or Information - T1140 Dll Side-Loading - T1073 Execution Through Api - T1106 Execution Through Module Load - T1129 Exploit Public-Facing Application - T1190 Exploitation For Client Execution - T1203 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Input Capture - T1056 Masquerading - T1036 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Peripheral Device Discovery - T1120 Process Discovery - T1057 Process Hollowing - T1093 Process Injection - T1055 Query Registry - T1012 Rootkit - T1014 Scheduled Task - T1053 Screen Capture - T1113 Spearphishing Attachment - T1193 System Network Configuration Discovery - T1016 Windows Management Instrumentation - T1047 Timestomp - T1099 Web Shell - T1100 Video Capture - T1125 Automated Collection Exploit Public-Facing Application Indicator Removal On Host Masquerading Rootkit Screen Capture Spearphishing Attachment
Show in Graph
Common Information
Type Value
UUID 19a0765e-137b-4b37-bcac-70ba8f24c48b
Fingerprint bf3d115169af8097
Analysis status DONE
Considered CTI value 2
Text language
Published April 27, 2022, 3 p.m.
Added to db June 15, 2023, 11:38 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
Title A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity | WeLiveSecurity
Detected Hints/Tags/Attributes 292/4/202
Source URLs
Redirection Url
Details Source https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
URL Provider
Details Provider Source level domain
Details welivesecurity.com www.welivesecurity.com
Attributes
Details Type #Events CTI Value
Details CVE 58 
cve-2019-0604
Details CVE 375 
cve-2017-11882
Details Domain 3 
ffca.caibi379.com
Details Domain 1 
peheavens.com
Details Domain 31 
onedrive.live.com
Details Domain 4 
cahe.microsofts.org
Details Domain 2 
agent.km
Details Domain 1 
rozena.ao
Details Domain 1 
inbt.zip
Details Domain 1 
cahe.microsofts.com
Details Domain 1 
smtp.nsfwgo.com
Details Domain 1 
dlaxpcmghd.com
Details Domain 1 
wwww.dlmum.com
Details File 226 
certutil.exe
Details File 263 
iexplore.exe
Details File 1 
tdr.dat
Details File 1 
%localappdata%\tendyron\tendyron.exe
Details File 1 
okt.dat
Details File 1 
%localappdata%\tendyron\onkeytoken_keb.dll
Details File 1 
md.dat
Details File 1 
t86.dat
Details File 1 
tendyron.exe
Details File 1 
onkeytoken_keb.dll
Details File 2 
s8437aeb.dat
Details File 1 
rebare.dll
Details File 1 
rebar.dll
Details File 4 
responsor.dat
Details File 3 
setlang.exe
Details File 3 
setlangloc.dat
Details File 2 
rebare.dat
Details File 4 
rescure.dat
Details File 3 
rescure86.dat
Details File 3 
rescure64.dat
Details File 2 
sspisrvui.dat
Details File 3 
setlangloc.dll
Details File 3 
hhw.exe
Details File 1 
%programfiles%\msbuild\microsoft\expression\blend\msole\setlang.exe
Details File 1 
vpreview.exe
Details File 1 
vviewres.dll
Details File 1 
emedres.dll
Details File 2 
hidmouse.sys
Details File 1 
hidusb.sys
Details File 1 
sspisrvui.dll
Details File 1260 
explorer.exe
Details File 212 
winlogon.exe
Details File 1 
draco_manager.swf
Details File 1122 
svchost.exe
Details File 172 
dllhost.exe
Details File 1 
portabledeviceapi.dll
Details File 4 
wptsextensions.dll
Details File 1 
c:\programdata\microsoft\crypto\rsa\machinekeys\log\rsa.txt
Details File 131 
spoolsv.exe
Details File 3 
rsa.txt
Details File 1 
c:\programdata\microsoft\crypto\rsa\machinekeys\log\output.log
Details File 35 
libcurl.dll
Details File 2 
sodom.ini
Details File 8 
status.php
Details File 21 
m.exe
Details File 1 
qrt.dll
Details File 1 
qrtfix.exe
Details File 1 
sll.exe
Details File 2 
presentationcache.exe
Details File 1 
winver32.dll
Details File 1 
hhh.exe
Details File 1 
winver64.dll
Details File 2 
phx.dll
Details File 2 
meterpreter.exe
Details File 1 
絆邧坋蔡趕口昴.doc
Details File 1 
htra.exe
Details File 1 
htran13.exe
Details File 4 
event.exe
Details File 2126 
cmd.exe
Details File 5 
htran.exe
Details File 1 
htran_f-secury.exe
Details File 1 
inbt.zip
Details File 1 
msd017.exe
Details md5 1 
5C7E7A60D01D2891F40648DAB6CB3DF4
Details md5 1 
4ED8730F4E1B8558CD1CB0107B5F776B
Details sha1 1 
09c76522136b5e9bab74381feee265f7e9b1d550
Details sha1 1 
f359d3c074135bbca9a4c98a6b6544690edae93d
Details sha1 1 
140f81037a76b7b16a00e1d5e0e2cd9f6687f642
Details sha1 1 
014421bdb1ea105a6df0c27fc114819ff3637704
Details sha1 1 
02ed6a578c575c8d9c72398e790354b095bb07bc
Details sha1 1 
850821d88a4475f0310f10fba806353a4113d252
Details sha1 1 
c96558312fbf5847351b0b6f724d7b3a31ccaf03
Details sha1 1 
1403241c415a8d686b1148fa4229a2eb833d8d08
Details sha1 1 
38d0e92aff991cfc9c68d7baad6cb85916139af5
Details sha1 1 
af978ed8ad37ce1437a6b42d96bf518d5c4cfd19
Details sha1 1 
b70f3a3a9b5b8506ee95791469ca496e01ad7daf
Details sha1 1 
ea298866e5a61feea4d062987f23b10a78c8a4ca
Details sha1 1 
021b9e2e8aa30b29569254c0378a9f43e4f32eec
Details sha1 1 
2a2f08fad6b0a86dc94885224687d954e739cc21
Details sha1 1 
3658b7cca13c8c8ad03e9b6aefe4b9cbe48e3c81
Details sha1 1 
517488f6bd0e7fc9ede82f37226a75212b277e21
Details sha1 1 
c05b4ad7a3322917e17710842fb88a090198d51f
Details sha1 1 
db2df1bdf8145cb8aba3a2026a3cc3ef4f1762be
Details sha1 1 
ede2ab811311fc011b1e89c5a0b7a60c123b7398
Details sha1 1 
7aa35ba7030afcd271436de8173d7b2f317a1bfc
Details sha1 1 
a5c02abe698300f3de0b7cc7f0856652753831da
Details sha1 1 
613c4afae8f5f80f22dcd1827e3230fca361ada5
Details sha1 1 
859cd6dfdadab3d6427c6c1c29581cb2094d648f
Details sha1 1 
dbea7f0c0d2bf8bc365a2d1572ca1538fe8fb9a3
Details sha1 1 
add5b4fd9aea6a38b5a8941286bc9aa4fe23bd20
Details sha1 1 
7ba42061568ff6d9ca5fe5360dce74c25ea48ada
Details sha1 1 
d81215890703c48b8ea07a1f50fec1a6ca9df88b
Details sha1 1 
621b31d5778ec2fb72d38fb61ced110a6844d094
Details sha1 1 
bc11dc8d86a457a07cfe46b5f2ef6598b83c8a1f
Details sha1 1 
c369e1466f66744aa0e658588e7cf2c051ee842f
Details sha1 1 
b868764c46badc152667e9128375ba4f8d936559
Details sha1 1 
bdeca89b4f39e6702ce6cbbc9e6d69f6bbab01c8
Details sha1 1 
5379fbb0e02694c524463fdf7f267a7361ecdd68
Details sha1 1 
6cc6170977327541f8185288bb9b1b81f56d3fd0
Details sha1 1 
d95185a4a3f8512d92f69d2ed7b8743638c54be8
Details sha1 1 
be7f0e41cd514561aed43b07aa9f5f0842bf876c
Details sha1 1 
7f663f50e9d6376715aeb3ab66dede038258ef6c
Details sha1 1 
beda1224b3bb9f98f95ff7757d2687f4d9f4b53a
Details sha1 1 
2b61e7c63a0a33aac4cf7fe0ceb462cf6dacc080
Details sha1 1 
ef3c796652141b8a68dccf488159e96903479c29
Details sha1 1 
6b547c244a3086b5b6ea2b3a0d9594bbe54ae06b
Details sha1 1 
4cdce3af614c2a5e60e71f1205812ab129c0955b
Details IPv4 1 
103.139.2.93
Details IPv4 1 
114.118.83.141
Details IPv4 1 
114.55.109.199
Details IPv4 1 
47.111.22.65
Details IPv4 1 
43.254.216.104
Details IPv4 1 
45.124.115.103
Details IPv4 1 
161.82.181.4
Details IPv4 1 
43.254.219.153
Details IPv4 1 
154.223.141.36
Details IPv4 1 
185.225.19.17
Details IPv4 1 
94.158.245.249
Details IPv4 1 
5.252.179.227
Details IPv4 1 
222.186.151.141
Details IPv4 1 
185.225.17.39
Details MITRE ATT&CK Techniques 96 
T1587.001
Details MITRE ATT&CK Techniques 33 
T1588.003
Details MITRE ATT&CK Techniques 60 
T1588.005
Details MITRE ATT&CK Techniques 542 
T1190
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 120 
T1129
Details MITRE ATT&CK Techniques 245 
T1203
Details MITRE ATT&CK Techniques 31 
T1559.001
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 104 
T1505.003
Details MITRE ATT&CK Techniques 180 
T1543.003
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 57 
T1036.004
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 41 
T1014
Details MITRE ATT&CK Techniques 59 
T1055.001
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 20 
T1055.003
Details MITRE ATT&CK Techniques 86 
T1055.012
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 227 
T1574.002
Details MITRE ATT&CK Techniques 238 
T1497
Details MITRE ATT&CK Techniques 24 
T1134.002
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 93 
T1070.006
Details MITRE ATT&CK Techniques 75 
T1010
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 185 
T1518
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 188 
T1120
Details MITRE ATT&CK Techniques 245 
T1016
Details MITRE ATT&CK Techniques 501 
T1012
Details MITRE ATT&CK Techniques 82 
T1115
Details MITRE ATT&CK Techniques 152 
T1056
Details MITRE ATT&CK Techniques 118 
T1056.001
Details MITRE ATT&CK Techniques 219 
T1113
Details MITRE ATT&CK Techniques 32 
T1125
Details MITRE ATT&CK Techniques 23 
T1123
Details MITRE ATT&CK Techniques 111 
T1119
Details MITRE ATT&CK Techniques 49 
T1074.001
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 34 
T1025
Details MITRE ATT&CK Techniques 29 
T1560.002
Details MITRE ATT&CK Techniques 11 
T1560.003
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 159 
T1095
Details MITRE ATT&CK Techniques 99 
T1132.001
Details MITRE ATT&CK Techniques 40 
T1132.002
Details MITRE ATT&CK Techniques 130 
T1573.001
Details MITRE ATT&CK Techniques 36 
T1030
Details MITRE ATT&CK Techniques 48 
T1529
Details Threat Actor Identifier - APT 278 
APT10
Details Url 1 
http://103.139.2.93:1702/tdr.dat
Details Url 1 
http://103.139.2.93:1702/okt.dat
Details Url 1 
http://103.139.2.93:1702/md.dat
Details Url 1 
http://103.139.2.93:1702/t86.dat
Details Url 1 
http://103.139.2.93:1702/sl3716/s8437aeb.dat
Details Url 1 
http://114.55.109.199:56022/sl3716/s8437aeb.dat
Details Url 1 
http://s.peheavens.com
Details Url 1 
http://s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf
Details Url 1 
http://ffca.caibi379.com
Details Windows Registry Key 112 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details Windows Registry Key 2 
HKLM\HARDWARE
Details Windows Registry Key 1 
HKLM\SOFTWARE\Microsoft\DRM\X4Key
Details Windows Registry Key 1 
HKLM\SOFTWARE\Microsoft\DRM\PSKey
Details Windows Registry Key 1 
HKLM\SOFTWARE\Microsoft\DRM\X4Data