赛博空间的魔眼:PROMETHIUM伪造NotePad++安装包的攻击活动分析
Tags
Show in Graph
Common Information
Type Value
UUID 6d73a577-fb6b-49fb-815a-85fd08c6b32a
Fingerprint a904beac30b2b4f4
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 21, 2022, midnight
Added to db Sept. 26, 2022, 9:34 a.m.
Last updated Nov. 15, 2024, 12:36 p.m.
Headline 赛博空间的魔眼:PROMETHIUM伪造NotePad++安装包的攻击活动分析
Title 赛博空间的魔眼:PROMETHIUM伪造NotePad++安装包的攻击活动分析
Detected Hints/Tags/Attributes 11/0/26
Source URLs
Redirection Url
Details Source https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA
URL Provider
Details Provider Source level domain
Details qq.com mp.weixin.qq.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
advancedtoenableplatform.com
Details Domain 58 
ti.qianxin.com
Details File 208 
setup.exe
Details File 13 
x64.exe
Details File 1 
在下面释放winpickr.exe
Details File 1 
winpickr.exe
Details File 1 
如果winpickr.exe
Details File 4 
parse_ini_file.php
Details File 27 
phpinfo.php
Details File 4 
aboutus.php
Details File 1 
该线程主要功能是启动释放的dropper3程序ntuis32.exe
Details File 1 
c:\programdata\microsoft\windowsdata目录下释放名为ntuis32.exe
Details File 1 
ntuis32.exe
Details File 49 
info.php
Details File 2 
bitdefender-whitepaper-strongpity-apt.pdf
Details md5 1 
78556a2fc01c40f64f11c76ef26ec3ff
Details md5 1 
0392A100A1E09AE747E45382DECEEF4D
Details md5 1 
C66279129816FD2986495F5FCFEC8625
Details md5 1 
6B0279DA0E09514269437F0C7BDA9C69
Details IPv4 1 
8.1.7.0
Details Url 1 
https://advancedtoenableplatform.com/parse_ini_file.php
Details Url 1 
https://advancedtoenableplatform.com/phpinfo.php
Details Url 1 
https://advancedtoenableplatform.com/aboutus.php
Details Url 44 
https://sandbox.ti.qianxin.com/sandbox/page
Details Url 2 
https://ti.qianxin.com/apt/detail/5b39cb04596a10000ffcba85?name=promethium&type=map
Details Url 2 
https://www.bitdefender.com/files/news/casestudies/study/353/bitdefender-whitepaper-strongpity-apt.pdf