游走在东欧和中亚的奇幻熊
Tags
cmtmf-attack-pattern: Command-Line Interface
maec-delivery-vectors: Watering Hole
attack-pattern: Application Layer Protocol - T1437 Command-Line Interface - T1605 Data From Local System - T1533 File Deletion - T1070.004 File Deletion - T1630.002 Scheduled Task - T1053.005 Screen Capture - T1513 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Data Encoding - T1132 Data From Local System - T1005 Execution Through Api - T1106 File Deletion - T1107 Indirect Command Execution - T1202 Scheduled Task - T1053 Screen Capture - T1113 Spearphishing Attachment - T1193 User Execution - T1204 Command-Line Interface Execution Through Api Screen Capture Spearphishing Attachment Standard Application Layer Protocol User Execution
Show in Graph
Common Information
Type Value
UUID 3af10618-5bd4-4975-8276-f7705ec5aaee
Fingerprint 99501c6a61a81a93
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 24, 2019, midnight
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline 游走在东欧和中亚的奇幻熊
Title 游走在东欧和中亚的奇幻熊
Detected Hints/Tags/Attributes 45/3/45
Source URLs
Redirection Url
Details Source https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og
URL Provider
Details Provider Source level domain
Details qq.com mp.weixin.qq.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
ucx.no
Details Domain 1 
womp-wroclaw.wp.mil.pl
Details Domain 262 
www.welivesecurity.com
Details File 1 
the-chief-of-the-sanitary-inspection-armed-forces-for-movement-of-allied-military-personnel-in-the-territory.rar
Details File 1 
gai-18.rar
Details File 1 
-745_14-05-2020.rar
Details File 1 
dn-098-2020_mfa.rar
Details File 1 
利用cmd.exe
Details File 1 
我们对apt28组织近期的第一次攻击活动使用的恶意附件dn-098-2020_mfa.rar
Details File 1 
scan_letters.docx
Details File 1 
sqlclient.sys
Details File 1 
buildings.php
Details File 1 
同时sqlclient.sys
Details File 1 
会调用cmd.exe
Details File 1 
利用计划任务间接执行copy.exe
Details File 1 
wp.mil
Details md5 1 
cd0aa9b954010b704f741debf46ade5e
Details md5 1 
e9bf5ce92b9d286fdc66616ca2cc5c68
Details md5 1 
1ce718ba64b85b58a3dfbd3a7b207990
Details md5 1 
82e0597f56653a8788bfb531af460eb0
Details md5 1 
88ce694a89cc1d381818a61d9494ba58
Details md5 1 
a31e3b8d2f5e0369be8f3dbb7e23120b
Details md5 1 
6e1effd8de77a10f315db1109c5e73e3
Details md5 1 
961952e4873d9572cc356cb2425c1552
Details md5 1 
0a00f0ff2b69df91c1b83772a0f1b160
Details md5 1 
019555014b716f3eaac3d81d122beba0
Details md5 1 
ed63c42a51b711b81e9aca9a4a150bbd
Details IPv4 1 
185.234.52.168
Details IPv4 1 
185.221.202.36
Details MITRE ATT&CK Techniques 49 
T1193
Details MITRE ATT&CK Techniques 420 
T1204
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 695 
T1059
Details MITRE ATT&CK Techniques 480 
T1053
Details MITRE ATT&CK Techniques 67 
T1107
Details MITRE ATT&CK Techniques 60 
T1202
Details MITRE ATT&CK Techniques 219 
T1113
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 444 
T1071
Details MITRE ATT&CK Techniques 96 
T1132
Details Threat Actor Identifier - APT-C 9 
APT-C-20
Details Threat Actor Identifier - APT 783 
APT28
Details Url 1 
http://185.234.52.168/categories/buildings.php
Details Url 1 
https://womp-wroclaw.wp.mil.pl/en/articlesnews-v/movement-of-allied-military-personnel
Details Url 1 
https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy