OVERRULED: Containing a Potentially Destructive Adversary | Mandiant
Tags
cmtmf-attack-pattern: Process Injection
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Email Addresses - T1589.002 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Outlook Home Page - T1137.004 Password Spraying - T1110.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Powershell - T1086 Process Injection - T1055
Show in Graph
Common Information
Type Value
UUID 7fc5f52e-251d-46ec-98e5-3b4fed2722cd
Fingerprint a401819b83b785c5
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 21, 2018, midnight
Added to db Nov. 6, 2023, 7:08 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline OVERRULED: Containing a Potentially Destructive Adversary
Title OVERRULED: Containing a Potentially Destructive Adversary | Mandiant
Detected Hints/Tags/Attributes 112/3/72
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
Details Source https://www.mandiant.com/resources/blog/overruled-containing-a-potentially-destructive-adversary
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 16 
cve-2017-11774
Details CVE 22 
cve-2017-0213
Details Domain 339 
system.net
Details Domain 1 
basepack.org
Details Domain 1 
staffmusic.org
Details Email 1 
first.last@yourorganization.tld
Details File 1 
live.exe
Details File 1 
homepage.htm
Details File 816 
index.html
Details File 1 
media.ps1
Details File 1 
%localappdata%\mediaws\media.ps1
Details File 1 
c:\users\public\downloads\log.dat
Details File 13 
log.dat
Details File 1 
clouldpackage.exe
Details File 1 
delivered.dat
Details File 1 
vision.ps1
Details File 173 
outlook.exe
Details md5 1 
95f3bea43338addc1ad951cd2d42eb6f
Details md5 1 
c326f156657d1c41a9c387415bf779d4
Details md5 1 
0564706ec38d15e981f71eaf474d0ab8
Details md5 1 
94cd86a0a4d747472c2b3f1bc3279d77
Details md5 1 
17587668AC577FCE0B278420B8EB72AC
Details md5 1 
46038aa5b21b940099b0db413fa62687
Details md5 1 
c38069d0bc79acdc28af3820c1123e53
Details md5 1 
8be06571e915ae3f76901d52068e3498
Details md5 1 
4047e238bbcec147f8b97d849ef40ce5
Details md5 1 
f0fe6e9dde998907af76d91ba8f68a05
Details md5 1 
53ae59ed03fa5df3bf738bc0775a91d9
Details md5 1 
8a99624d224ab3378598b9895660c890
Details md5 1 
4b19bccc25750f49c2c1bb462509f84e
Details md5 1 
17587668ac577fce0b278420b8eb72ac
Details md5 1 
56f5891f065494fdbb2693cfc9bce9ae
Details md5 1 
fa7790abe9ee40556fb3c5524388de0b
Details md5 1 
75e680d5fddbdb989812c7ba83e7c425
Details md5 1 
129c296c363b6d9da0102aa03878ca7f
Details md5 1 
fca0ad319bf8e63431eb468603d50eff
Details md5 1 
5832f708fd860c88cbdc088acecec4ea
Details md5 1 
8d3fe1973183e1d3b0dbec31be8ee9dd
Details md5 1 
48d1ed9870ed40c224e50a11bf3523f8
Details md5 1 
99649d58c0d502b2dfada02124b1504c
Details md5 1 
974b999186ff434bee3ab6d61411731f
Details md5 1 
3871aac486ba79215f2155f32d581dc2
Details md5 1 
e2d60bb6e3e67591e13b6a8178d89736
Details md5 1 
2cd286711151efb61a15e2e11736d7d2
Details md5 1 
bd80fcf5e70a0677ba94b3f7c011440e
Details md5 1 
5a66480e100d4f14e12fceb60e91371d
Details md5 1 
f5ac89d406e698e169ba34fea59a780e
Details md5 1 
4aca006b9afe85b1f11314b39ee270f7
Details md5 1 
7f4f7e307a11f121d8659ca98bc8ba56
Details md5 1 
506fe019d48ff23fac8ae3b6dd754f6e
Details IPv4 1 
103.236.149.100
Details IPv4 1 
85.206.161.214
Details IPv4 1 
85.206.161.216
Details IPv4 1 
91.235.116.212
Details IPv4 1 
51.254.71.223
Details IPv4 1 
185.161.209.172
Details IPv4 1 
5.79.66.241
Details IPv4 1 
103.236.149.124
Details IPv4 1 
89.45.35.235
Details Threat Actor Identifier - APT 181 
APT33
Details Url 1 
https://103.236.149.100/api/info
Details Url 1 
https://85.206.161.216:8080/homepage.htm
Details Url 1 
http://91.235.116.212/index.html
Details Url 1 
https://51.254.71.223/images/static/content
Details Url 1 
https://185.161.209.172/api/info
Details Url 1 
https://185.161.209.172/api/default
Details Url 1 
http://5.79.66.241/index.html
Details Url 1 
http://103.236.149.124/delivered.dat
Details Url 1 
https://basepack.org
Details Url 1 
http://89.45.35.235/index.html
Details Url 1 
https://staffmusic.org/transfer/view
Details Yara rule 1 
rule Hunting_Outlook_Homepage_Shell_and_Persistence {
	meta:
		author = "Nick Carr (@itsreallynick)"
		reference_hash = "506fe019d48ff23fac8ae3b6dd754f6e"
	strings:
		$script_1 = "<htm" ascii wide nocase
		$script_2 = "<script" ascii wide nocase
		$viewctl1_a = "ViewCtl1" ascii wide nocase
		$viewctl1_b = "0006F063-0000-0000-C000-000000000046" ascii wide
		$viewctl1_c = ".OutlookApplication" ascii wide nocase
	condition:
		uint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*)
}