ioc[.]one - OSINT Cyber Threat Intelligence Database

European diplomats targeted by APT29 (Cozy Bear) with WINELOADER

Tags

cmtmf-attack-pattern:	Application Layer Protocol Boot Or Logon Autostart Execution Compromise Infrastructure Masquerading Obfuscated Files Or Information Process Injection Scheduled Task/Job
country:	India Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Code Signing - T1553.002 Compromise Infrastructure - T1584 Dll Side-Loading - T1574.002 Dynamic Api Resolution - T1027.007 Dynamic-Link Library Injection - T1055.001 Embedded Payloads - T1027.009 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Impersonation - T1656 Invalid Code Signature - T1036.001 Javascript - T1059.007 Junk Data - T1001.001 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerade Task Or Service - T1036.004 Masquerading - T1655 Obfuscated Files Or Information - T1406 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Standard Application Layer Protocol - T1071 Code Signing - T1116 Data Obfuscation - T1001 Deobfuscate/Decode Files Or Information - T1140 Dll Side-Loading - T1073 Exfiltration Over Command And Control Channel - T1041 Masquerading - T1036 Mshta - T1170 Obfuscated Files Or Information - T1027 Process Injection - T1055 Scheduled Task - T1053 Signed Binary Proxy Execution - T1218 System Owner/User Discovery - T1033 User Execution - T1204 Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	7c69af19-93a5-4162-8127-317f5f73b4e9
Fingerprint	bc35a95a6dae8099
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 7, 2024, midnight
Added to db	Nov. 7, 2024, 10:43 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	European diplomats targeted by APT29 (Cozy Bear) with WINELOADER
Title	European diplomats targeted by APT29 (Cozy Bear) with WINELOADER
Detected Hints/Tags/Attributes	119/4/66

Source URLs

	Redirection	Url
Details	Source	https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader

URL Provider

Details	Provider	Source level domain
Details	zscaler.com	www.zscaler.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	406	✔	Security Research \| Blog Category Feed	https://www.zscaler.com/blogs/feeds/security-research	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	2	seeceafcleaners.co.uk
Details	Domain	20	obfuscator.io
Details	Domain	2	text.zip
Details	Domain	2	castechtools.com
Details	Domain	2	passatempobasico.com.br
Details	File	2	wine.php
Details	File	5	cert.php
Details	File	2	c:\windows\tasks\text.txt
Details	File	226	certutil.exe
Details	File	2	c:\windows\tasks\text.zip
Details	File	2	c:\windows\\tasks\text.zip
Details	File	66	sqlwriter.exe
Details	File	69	vcruntime140.dll
Details	File	229	advapi32.dll
Details	File	3	api-ms-win-crt-math-l1-1-0.dll
Details	File	3	api-ms-win-crt-stdio-l1-1-0.dll
Details	File	12	bcryptprimitives.dll
Details	File	53	iphlpapi.dll
Details	File	748	kernel32.dll
Details	File	82	kernelbase.dll
Details	File	68	mscoree.dll
Details	File	533	ntdll.dll
Details	File	86	ole32.dll
Details	File	41	rpcrt4.dll
Details	File	69	shlwapi.dll
Details	File	291	user32.dll
Details	File	146	wininet.dll
Details	File	47	api.php
Details	File	3	vcruntime.dll
Details	File	2	c:\windows\tasks directory and creates a scheduled task named ms sql writer with the description sql server vss writer 64-bit to execute c:\windows\tasks\sqlwriter.exe
Details	File	2	wine.pdf
Details	File	456	mshta.exe
Details	sha256	2	72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4
Details	sha256	2	ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7
Details	sha256	2	3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9
Details	sha256	2	1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc
Details	sha256	2	e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc
Details	sha256	2	f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45
Details	sha256	2	c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e
Details	sha256	2	b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920
Details	sha256	2	7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	9	T1656
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	59	T1055.001
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	66	T1584
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	15	T1036.001
Details	MITRE ATT&CK Techniques	57	T1036.004
Details	MITRE ATT&CK Techniques	28	T1027.007
Details	MITRE ATT&CK Techniques	40	T1027.009
Details	MITRE ATT&CK Techniques	59	T1218.005
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	8	T1001.001
Details	Threat Actor Identifier - APT	665	APT29
Details	Url	2	https://seeceafcleaners.co.uk/wine.php
Details	Url	2	https://castechtools.com/api.php
Details	Url	2	https://seeceafcleaners.co.uk/cert.php
Details	Url	2	https://passatempobasico.com.br/wine.php
Details	Windows Registry Key	3	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS