东南亚新APT组织持续活跃,暗石组织(Saaiwc Group)借多国外交之名进行窃密活动
Tags
| country: | Spain |
| attack-pattern: | Msbuild - T1127.001 Powershell - T1059.001 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 72978924-832f-4e01-bd60-1637d76ff58a |
| Fingerprint | 858afb5116f2161b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 2, 2023, midnight |
| Added to db | June 1, 2023, 10:47 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | 东南亚新APT组织持续活跃,暗石组织(Saaiwc Group)借多国外交之名进行窃密活动 |
| Title | 东南亚新APT组织持续活跃,暗石组织(Saaiwc Group)借多国外交之名进行窃密活动 |
| Detected Hints/Tags/Attributes | 10/2/44 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/7KOjLgeHsgEI7KuDhFOiKA |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | region.zip |
|
| Details | Domain | 2 | deu-idn.zip |
|
| Details | Domain | 285 | microsoft.net |
|
| Details | Domain | 7 | ti.dbappsecurity.com.cn |
|
| Details | Domain | 208 | mp.weixin.qq.com |
|
| Details | Domain | 101 | www.group-ib.com |
|
| Details | File | 1 | region.zip |
|
| Details | File | 42 | msvcr100.dll |
|
| Details | File | 1 | nv_6153_22_012_104147.zip |
|
| Details | File | 2 | norwegia.iso |
|
| Details | File | 2 | deu-idn.zip |
|
| Details | File | 1 | 2022年编译的白文件winword.exe |
|
| Details | File | 1 | 恶意dll文件msvcr100.dll |
|
| Details | File | 1 | 文件将在winword.exe |
|
| Details | File | 1 | 文件在msvcr100.dll |
|
| Details | File | 1 | 其中msvcr100.dll |
|
| Details | File | 1 | 并将解密后的数据写入%temp%目录下的wct73df.tmp |
|
| Details | File | 149 | msbuild.exe |
|
| Details | File | 1 | c:\users\users\appdata\local\temp\wct73df.tmp |
|
| Details | File | 1 | 后续通过msbuild执行xml文件wct73df.tmp |
|
| Details | File | 1 | al.iso |
|
| Details | File | 1 | 43160_informasi_penawaran_pelatihan_spanish_language_and_mexican.zip |
|
| Details | File | 1 | 43160_informasi_penawaran_pelatihan_spanish_language_and_mexican.iso |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 1 | +msvcr100.dll |
|
| Details | File | 1 | net攻击链中所用的winword.exe |
|
| Details | File | 7 | ti.db |
|
| Details | md5 | 1 | 5a324753451c49654814ff2374b7bac8 |
|
| Details | md5 | 1 | f5f310ad8526c6b01b8a0d1d19184e9a |
|
| Details | md5 | 1 | e01931b3aba4437a92578dc802e5c41d |
|
| Details | md5 | 1 | cbc2d3414e58e9b5a5b72c645aca74f3 |
|
| Details | md5 | 3 | 0f50af41edb7e3456cba4dd05b805da1 |
|
| Details | md5 | 2 | c431ddc7ed614effd8e2ae816107de3f |
|
| Details | md5 | 3 | 836184b7387b212f8b7f064d5e60f587 |
|
| Details | md5 | 2 | 1ee99e4eb1a855186812204a1e3b72de |
|
| Details | md5 | 1 | 233acdea31fa3ef01e05bf4e3dc5bdd8 |
|
| Details | md5 | 1 | 8af6f5e22806766c530dcc8420e60f29 |
|
| Details | md5 | 1 | 34416669f547b13c4d74dfd8261b177a |
|
| Details | md5 | 1 | 991be8abdc60d99c1a3e986084d29b92 |
|
| Details | md5 | 1 | 49186f8de7fd462a7f6703c9b8e6df04 |
|
| Details | md5 | 1 | 3388dde5bfe7284ec9a7a01a3bd84a8a |
|
| Details | Url | 2 | https://ti.dbappsecurity.com.cn/sandbox |
|
| Details | Url | 4 | https://mp.weixin.qq.com/s/g3gujg9wc96nw4crpww6gw |
|
| Details | Url | 5 | https://www.group-ib.com/blog/dark-pink-apt |