深入剖析针对中国用户的攻击活动(判断为Hvv样本被捕获了,红队速来认领) | CTF导航
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 68510980-fd15-42c0-9db2-3c37c9b05c97 |
| Fingerprint | c9358ad3271066a3 |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Sept. 8, 2024, midnight |
| Added to db | Sept. 1, 2024, 3:43 p.m. |
| Last updated | Nov. 17, 2024, 6:56 p.m. |
| Headline | 深入剖析针对中国用户的攻击活动(判断为Hvv样本被捕获了,红队速来认领) |
| Title | 深入剖析针对中国用户的攻击活动(判断为Hvv样本被捕获了,红队速来认领) | CTF导航 |
| Detected Hints/Tags/Attributes | 54/1/114 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.ctfiot.com/202630.html |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 426 | ✔ | CTF导航 | https://www.ctfiot.com/feed | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 37 | psexec.py |
|
| Details | Domain | 7 | myip.ipip.net |
|
| Details | Domain | 3 | 360-1305242994.cos.ap-nanjing.myqcloud.com |
|
| Details | Domain | 13 | archive.zip |
|
| Details | Domain | 36 | book.hacktricks.xyz |
|
| Details | Domain | 124 | www.sentinelone.com |
|
| Details | File | 5 | 20240739人员名单信息.zip |
|
| Details | File | 2 | 用户就会看到一个伪装成.docx |
|
| Details | File | 9 | 违规远程控制软件人员名单.docx |
|
| Details | File | 2 | 看来lnk文件的图标被设置为同一目录中的1.docx |
|
| Details | File | 24 | dui70.dll |
|
| Details | File | 2 | 和ui.exe |
|
| Details | File | 2 | 文件ui.exe |
|
| Details | File | 2 | 已从licensingui.exe |
|
| Details | File | 10 | licensingui.exe |
|
| Details | File | 2 | 其中之一是dui70.dll |
|
| Details | File | 2 | 任何包含相同名称的dll都可以在通过lnk文件执行重命名的ui.exe |
|
| Details | File | 2 | 这种涉及licensingui.exe |
|
| Details | File | 14 | ui.exe |
|
| Details | File | 3 | mall_100_100.html |
|
| Details | File | 22 | runonce.exe |
|
| Details | File | 2 | 由于攻击者已经接入了runonce.exe |
|
| Details | File | 4 | fpr.exe |
|
| Details | File | 10 | iox.exe |
|
| Details | File | 9 | fscan.exe |
|
| Details | File | 32 | result.txt |
|
| Details | File | 4 | netspy.exe |
|
| Details | File | 2 | 日志文件是netspy.log |
|
| Details | File | 2 | 和alive.txt |
|
| Details | File | 8 | lld.exe |
|
| Details | File | 2 | windowstemptmptmp.log |
|
| Details | File | 6 | xxx.txt |
|
| Details | File | 2 | 在重命名为tmp.log |
|
| Details | File | 2 | 之前与tmp.log |
|
| Details | File | 7 | tmp.log |
|
| Details | File | 2 | 包含由lld.exe |
|
| Details | File | 9 | sharpdecryptpwd.exe |
|
| Details | File | 5 | pvefindaduser.exe |
|
| Details | File | 12 | document.txt |
|
| Details | File | 4 | gogo_windows_amd64.exe |
|
| Details | File | 63 | output.txt |
|
| Details | File | 2 | windowstemptmplld.exe |
|
| Details | File | 2125 | cmd.exe |
|
| Details | File | 2 | 如fscan.exe |
|
| Details | File | 2 | 和netspy.exe |
|
| Details | File | 2 | 如sharpdecryptpwd.exe |
|
| Details | File | 2 | 用户针对mstc.exe |
|
| Details | File | 74 | mstsc.exe |
|
| Details | File | 29 | ip.txt |
|
| Details | File | 2 | 我们观察到psexec.py |
|
| Details | File | 34 | psexec.py |
|
| Details | File | 2 | 他们使用iox.exe |
|
| Details | File | 2 | bloodhound是通过runonce.exe |
|
| Details | File | 2 | bloodhound收集的数据随后被编译成几个.json |
|
| Details | File | 2 | 这些文件随后被压缩成bloodhound.zip |
|
| Details | File | 2 | 使用iox.exe |
|
| Details | File | 2 | 使用fscan.exe |
|
| Details | File | 8 | alive.txt |
|
| Details | File | 4 | sb.exe |
|
| Details | File | 3 | sa64.gif |
|
| Details | File | 2 | c:\windows\system32\runonce.exe |
|
| Details | File | 2 | 是searchall64.exe |
|
| Details | File | 6 | sharpweb.exe |
|
| Details | File | 2 | 例如利用微软签名的可执行文件licensingui.exe |
|
| Details | File | 10 | archive.zip |
|
| Details | sha256 | 3 | 8e77101d3f615a58b8d759e8b82ca3dffd4823b9f72dc5c6989bb4311bdffa86 |
|
| Details | sha256 | 3 | 04bcf25d07e5cf060e742325d6123242f262888705acac649f8d5010a5eb6a87 |
|
| Details | sha256 | 3 | c35ea8498ed7ae33513e26fac321fecf0fc9306dda8c783904968e3c51648c37 |
|
| Details | sha256 | 3 | 3a9b64a61f6373ee427f27726460e7047b21ddcfd1d0d45ee4145192327a0408 |
|
| Details | sha256 | 3 | 28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6 |
|
| Details | sha256 | 3 | 1ba77dd1f5bf31d45fdb160c52ebe5829ec373350cde35818fb90d45352b3601 |
|
| Details | sha256 | 3 | 1189d34e983a6fc9d2dc37ad591287c9e3e4d4ba83f66c7ede692c36274ba648 |
|
| Details | sha256 | 3 | 706bd7e05f275814c3b86eec1a87148662029d91d0ce9b80386aaffe7aa3753b |
|
| Details | sha256 | 3 | 0bd048e0bce956edfbcee6edf32b8b67e08275bd38125b40a98665fab4926c9d |
|
| Details | sha256 | 3 | 97c5cd06b543b0bdb270666092348efba0a9670af05b11f3b56bf4b418dec43a |
|
| Details | sha256 | 3 | 7dc0e13a5f1a70c4e41f4b92372259b050a395104650d57385ecaa148481ae5c |
|
| Details | sha256 | 3 | 1f510ded0d181b4636e83c69b66c92465dc0e64f6db946fa4c246e7741f66141 |
|
| Details | sha256 | 3 | 9f650117288b26312e84f32e23783fe3c81fcba771c8ae58119be92344c006cc |
|
| Details | sha256 | 3 | efe53f18d282516149bc6feac44c17dde9f0704d95598aecba3e7d734727b07e |
|
| Details | sha256 | 3 | 33a910162eafe750316adfad4ab0955be24c1ba048c2ec236c95e4a795c42932 |
|
| Details | IPv4 | 6 | 123.207.74.22 |
|
| Details | IPv4 | 3 | 49.235.152.72 |
|
| Details | IPv4 | 3 | 123.56.168.30 |
|
| Details | MITRE ATT&CK Techniques | 41 | T1078.001 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1566.001 |
|
| Details | MITRE ATT&CK Techniques | 157 | T1560 |
|
| Details | MITRE ATT&CK Techniques | 96 | T1132 |
|
| Details | MITRE ATT&CK Techniques | 289 | T1003 |
|
| Details | MITRE ATT&CK Techniques | 172 | T1555 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 298 | T1562.001 |
|
| Details | MITRE ATT&CK Techniques | 70 | T1574.001 |
|
| Details | MITRE ATT&CK Techniques | 91 | T1620 |
|
| Details | MITRE ATT&CK Techniques | 230 | T1033 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 65 | T1069 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 333 | T1059.003 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1059.006 |
|
| Details | MITRE ATT&CK Techniques | 174 | T1569.002 |
|
| Details | MITRE ATT&CK Techniques | 106 | T1204.001 |
|
| Details | MITRE ATT&CK Techniques | 365 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 160 | T1021.001 |
|
| Details | MITRE ATT&CK Techniques | 38 | T1550.002 |
|
| Details | MITRE ATT&CK Techniques | 480 | T1053 |
|
| Details | MITRE ATT&CK Techniques | 422 | T1041 |
|
| Details | Url | 2 | http://123.207.74.22/mall_100_100.html发出信标 |
|
| Details | Url | 7 | http://myip.ipip.net |
|
| Details | Url | 3 | https://360-1305242994.cos.ap-nanjing.myqcloud.com/wel/ns/sa64.gif |
|
| Details | Url | 4 | https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature |
|
| Details | Url | 3 | https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking |
|
| Details | Url | 5 | https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors |
|
| Details | Windows Registry Key | 2 | HKLMSystemCurrentControlSetcontrollsa |