ioc[.]one - OSINT Cyber Threat Intelligence Database

Operation Bleeding Bear — Elastic Security Labs

Tags

cmtmf-attack-pattern:	Code Injection Masquerading Obfuscated Files Or Information Process Injection
country:	Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Code Injection - T1540 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Disk Structure Wipe - T1561.002 Disk Structure Wipe - T1487 Installutil - T1218.004 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Web Service - T1481 Web Services - T1583.006 Web Services - T1584.006 Installutil - T1118 Masquerading - T1036 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Windows Management Instrumentation - T1047 Web Service - T1102 Masquerading

Show in Graph

Common Information

Type	Value
UUID	54ad5e44-0910-412a-9892-4d0b247cf4a2
Fingerprint	8126487d29b404d3
Analysis status	DONE
Considered CTI value	2
Text language
Published	Dec. 6, 2022, midnight
Added to db	Nov. 20, 2023, 1:02 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Operation Bleeding Bear
Title	Operation Bleeding Bear — Elastic Security Labs
Detected Hints/Tags/Attributes	87/4/26

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/security-labs/operation-bleeding-bear

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	306	✔	Elastic Security Labs	https://www.elastic.co/security-labs/rss/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	sha256	20	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Details	sha256	21	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Details	sha256	9	34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907
Details	sha256	12	923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
Details	sha256	12	9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
Details	IPv4	9	111.111.111.111
Details	MITRE ATT&CK Techniques	15	T1561.002
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	310	T1047
Details	Domain	6	djvu.sh
Details	Domain	8	process.pe
Details	Domain	285	microsoft.net
Details	File	16	stage1.exe
Details	File	20	stage2.exe
Details	File	30	c:\windows\system32\wscript.exe
Details	File	1	c:\users\jim\appdata\local\temp\nmddfrqqrbyjeygggda.vbs
Details	File	1208	powershell.exe
Details	File	1	c:\users\jim\appdata\local\temp\advancedrun.exe
Details	File	23	c:\windows\system32\sc.exe
Details	File	83	installutil.exe
Details	File	2126	cmd.exe
Details	File	11	advancedrun.exe
Details	File	49	process.exe
Details	MITRE ATT&CK Techniques	149	T1102
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	627	T1027