魔罗桫组织新一轮对南亚军工企业的窃密攻击
Tags
country: | China |
attack-pattern: | Powershell - T1059.001 Software - T1592.002 Powershell - T1086 |
Common Information
Type | Value |
---|---|
UUID | 3cd5a075-6793-4fde-808a-eb6ee38ee53d |
Fingerprint | 10a79405dfe63295 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Feb. 21, 2022, midnight |
Added to db | Sept. 26, 2022, 9:30 a.m. |
Last updated | Dec. 21, 2024, 4:49 a.m. |
Headline | 魔罗桫组织新一轮对南亚军工企业的窃密攻击 |
Title | 魔罗桫组织新一轮对南亚军工企业的窃密攻击 |
Detected Hints/Tags/Attributes | 15/2/35 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 4 | msoffice.user-assist.site |
|
Details | Domain | 3 | syncronize.3utilities.com |
|
Details | File | 3 | army.docx |
|
Details | File | 1 | 恶意代码会释放加载内嵌的bing.dll |
|
Details | File | 1 | 原始文件名为linknew.dll |
|
Details | File | 1 | content下载到本地命名为update.exe |
|
Details | File | 1 | 恶意文件会首先注入到explorer.exe |
|
Details | File | 1 | 之后该恶意文件会通过com功能复制自身并改名为update.exe |
|
Details | File | 1 | c:\programdata\software\update.exe |
|
Details | File | 1 | c:\users\xxxx\appdata\roaming\svchost.exe |
|
Details | File | 1199 | svchost.exe |
|
Details | File | 1 | 是update.exe |
|
Details | File | 1 | 利用pkgmgr.exe |
|
Details | File | 25 | dism.exe |
|
Details | File | 1 | 运行机制加com功能替换系统掉dismcore.dll |
|
Details | File | 1 | 然后释放programs.bat |
|
Details | File | 3 | programs.bat |
|
Details | File | 1 | c:\users\xxxx\appdata\roaming\microsoft\windows\start menu\programs\startup\programs.bat |
|
Details | File | 1 | start文件是母体为上述programs.bat |
|
Details | File | 1 | 最终发现update.exe |
|
Details | File | 3 | bing.dll |
|
Details | File | 17 | dismcore.dll |
|
Details | md5 | 4 | 9f54962d644966cfad560cb606aeade2 |
|
Details | md5 | 3 | 912141bb5b4020c2cc75a77c37928a3b |
|
Details | md5 | 3 | e13134c8411557ce9c9e58d57b855a62 |
|
Details | md5 | 1 | 915F528202B036DC5D660F44C187F121 |
|
Details | md5 | 3 | 6b906764a35508a7fd266cdd512e46b1 |
|
Details | md5 | 1 | 7707871515E16C8E8461CED7AF1CACDD |
|
Details | IPv4 | 1 | 45.147.231.232 |
|
Details | IPv4 | 2 | 45.84.204.148 |
|
Details | Pdb | 3 | c:\users\admin\documents\dll\linknew\release\linknew.pdb |
|
Details | Url | 1 | http://msoffice.user-assist.site/update/content下载到本地命名为update.exe,接着创建快捷方式设置到启动目录为update.lnk文件,后续重启后启动。在32位系统环境下,恶意文件会首先注入到explorer.exe进程,之后该恶意文件会通过com功能复制自身并改名为update.exe |
|
Details | Url | 2 | http://msoffice.user-assist.site/refresh/word |
|
Details | Url | 2 | http://msoffice.user-assist.site/update/content |
|
Details | Windows Registry Key | 199 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |