Kimsuky组织网络攻击活动追溯分析报告
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 5fb4054d-bea3-41ab-b394-5edaeb63f666 |
| Fingerprint | 575f2b8dbcdd8642 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Oct. 22, 2020, midnight |
| Added to db | Jan. 30, 2023, 4:32 p.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Kimsuky组织网络攻击活动追溯分析报告 |
| Title | Kimsuky组织网络攻击活动追溯分析报告 |
| Detected Hints/Tags/Attributes | 21/0/113 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/pkCK1ryXvGWFuoHQk9Rahg |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | assuredshippings.com |
|
| Details | Domain | 194 | drive.google.com |
|
| Details | Domain | 1 | newwebsearcher.com |
|
| Details | Domain | 2 | okbus.or.kr |
|
| Details | Domain | 2 | newspeers.com |
|
| Details | Domain | 2 | last.zip |
|
| Details | Domain | 1 | mstsc-2003.zip |
|
| Details | Domain | 1 | chromecookiesview-1.90.zip |
|
| Details | Domain | 1 | ps.zip |
|
| Details | Domain | 1 | utilman.zip |
|
| Details | File | 1 | 使用version.dll |
|
| Details | File | 41 | wtsapi32.dll |
|
| Details | File | 1 | 和version_hwp.dll |
|
| Details | File | 1 | 使用恶意的normal.dot |
|
| Details | File | 1 | 随后将其重命名为version.dll |
|
| Details | File | 1 | 通过version.dll |
|
| Details | File | 13 | c.php |
|
| Details | File | 1 | dgdgdf.tmp |
|
| Details | File | 1 | 111.docx |
|
| Details | File | 29 | d.php |
|
| Details | File | 1 | ver.gif |
|
| Details | File | 89 | version.dll |
|
| Details | File | 10 | document.docx |
|
| Details | File | 1 | nd.gif |
|
| Details | File | 66 | normal.dot |
|
| Details | File | 1 | doc-src1.docm |
|
| Details | File | 1 | version_hwp.dll |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | %temp%\qazwsxe.tmp |
|
| Details | File | 1 | winmmnew.php |
|
| Details | File | 1 | 的ctr.vbs |
|
| Details | File | 1 | 通过分析ctr.vbs |
|
| Details | File | 1 | 这与wtsapi32.dll |
|
| Details | File | 1 | 由crt.vbs |
|
| Details | File | 1 | 如下载到的desktop.tmp |
|
| Details | File | 1 | 大部分失陷服务器上都出现了detect.vbs |
|
| Details | File | 1 | 文档文件名为doc-src.doc |
|
| Details | File | 2 | desktop.tmp |
|
| Details | File | 1 | stacer.vbs |
|
| Details | File | 1 | nxtelexl.bat |
|
| Details | File | 1 | 启动templbs.vbs |
|
| Details | File | 1 | templbs.vbs |
|
| Details | File | 1 | 下载执行desktop.tmp |
|
| Details | File | 1 | 最终通过11.vbs |
|
| Details | File | 1 | 11.vbs |
|
| Details | File | 1 | 12.vbs |
|
| Details | File | 1 | 一个是由templbs.vbs |
|
| Details | File | 1 | 其中一个文件的名称为change_with_anydesk_now.bat |
|
| Details | File | 1 | ieupsrv.exe |
|
| Details | File | 4 | ieupdate.exe |
|
| Details | File | 2 | install1.bat |
|
| Details | File | 1 | 创建服务启动revival.exe |
|
| Details | File | 1 | revival.exe |
|
| Details | File | 1 | 启动smss.bat |
|
| Details | File | 2 | smss.bat |
|
| Details | File | 1 | 启动update.vbs |
|
| Details | File | 16 | update.vbs |
|
| Details | File | 1 | 其中install.vbs |
|
| Details | File | 1 | 最终执行iecert.ps1 |
|
| Details | File | 1 | 完成键盘记录保存为ttmp.log |
|
| Details | File | 1 | 其利用schedule.xml |
|
| Details | File | 1 | 创建的计划任务定期执行iecert.vbs |
|
| Details | File | 1 | cloud.rar |
|
| Details | File | 1 | last.zip |
|
| Details | File | 1 | mimikatz.rar |
|
| Details | File | 1 | mstsc-2003.zip |
|
| Details | File | 1 | narrator___.zip |
|
| Details | File | 1 | win10_.zip |
|
| Details | File | 1 | win7_.zip |
|
| Details | File | 1 | 1220.rar |
|
| Details | File | 1 | antivirus_1121.xlsx |
|
| Details | File | 1 | antivirus_scorpion.xlsx |
|
| Details | File | 2 | 90.zip |
|
| Details | File | 1 | ps.zip |
|
| Details | File | 17 | 2.zip |
|
| Details | File | 1 | utilman.zip |
|
| Details | File | 2 | 07.rar |
|
| Details | File | 1 | winnarrator.exe |
|
| Details | File | 23 | xmrig.exe |
|
| Details | File | 5 | com.url |
|
| Details | File | 9 | recover.txt |
|
| Details | File | 13 | info.exe |
|
| Details | File | 1 | 恶意文档下载version.dll |
|
| Details | File | 1 | 恶意文档下载normal.dot |
|
| Details | File | 1 | 恶意文档下载dgdgdf.tmp |
|
| Details | File | 6 | redir.php |
|
| Details | File | 3 | his.php |
|
| Details | File | 1 | 恶意文档下载desktop.tmp |
|
| Details | File | 8 | expres.php |
|
| Details | File | 8 | cow.php |
|
| Details | md5 | 1 | 2d9b478d3161eaea8060d38d0a2dc8f5 |
|
| Details | md5 | 1 | c2be3221ba6b7722d1e0941995c0ab3a |
|
| Details | Pdb | 1 | g:\414 task\impersonateservice\impersonateservice\release\impersonateservice.pdb |
|
| Details | Pdb | 1 | g:\414 task\hidewindows_complete\any_exe\any_exe\release\any_exe.pdb |
|
| Details | Url | 1 | https://assuredshippings.com/wp-admin/includes/1023k/c.php?op=dotm |
|
| Details | Url | 1 | https://assuredshippings.com/wp-admin/includes/1023k/d.php?op=ver.gif |
|
| Details | Url | 1 | https://assuredshippings.com/wp-admin/includes/1023c/d.php?op=ver.gif |
|
| Details | Url | 1 | https://assuredshippings.com/wp-admin/includes/1023c/d.php?op=nd.gif |
|
| Details | Url | 1 | https://drive.google.com/file/d/1x4hjhlajqvk7cchnsbt_scrti07lmvn7/view?usp=sharing |
|
| Details | Url | 1 | https://newwebsearcher.com/winmm/winmmnew.php?op=step |
|
| Details | Url | 1 | https://onedrive.live.com/authkey |
|
| Details | Url | 2 | https://onedrive.live.com/?authkey= |
|
| Details | Url | 1 | http://okbus.or.kr/libs/phpmailer/his.php?op=antilist |
|
| Details | Url | 1 | https://newspeers.com/000/wjb/expres.php?op=2下载解密最终载荷 |
|
| Details | Url | 1 | http://xxx/d.php?op=ver.gif |
|
| Details | Url | 1 | http://xxx/d.php?op=nd.gif |
|
| Details | Url | 1 | http://xxx/c.php?op=dotm |
|
| Details | Url | 1 | http://xxx/winmmnew.php?op=yun |
|
| Details | Url | 1 | http://xxx/winmmnew.php?op=step |
|
| Details | Url | 1 | http://xxx/redir.php?op=display |
|
| Details | Url | 1 | http://xxx/his.php?op=[杀软信息] |
|
| Details | Url | 1 | http://xxx/expres.php?op=2 |
|
| Details | Url | 1 | http://xxx/cow.php?op=1 |