ioc[.]one - OSINT Cyber Threat Intelligence Database

Return of Pseudo Ransomware

Tags

cmtmf-attack-pattern:	Process Injection
country:	Russia Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Data Destruction - T1662 Data Destruction - T1485 Disable Or Modify System Firewall - T1562.004 Ingress Tool Transfer - T1544 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Visual Basic - T1059.005 Tool - T1588.002 Connection Proxy - T1090 Remote File Copy - T1105 Modify Registry - T1112 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Data Destruction

Show in Graph

Common Information

Type	Value
UUID	a4426a2d-a496-4fa2-b226-139c325fe27e
Fingerprint	c0230dbb04bd9790
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 26, 2022, midnight
Added to db	Sept. 26, 2022, 9:33 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Return of Pseudo Ransomware
Title	Return of Pseudo Ransomware
Detected Hints/Tags/Attributes	87/4/39

Source URLs

	Redirection	Url
Details	Source	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html

URL Provider

Details	Provider	Source level domain
Details	trellix.com	www.trellix.com

Attributes

Details	Type	#Events	Value
Details	Domain	112	cdn.discordapp.com
Details	Domain	372	wscript.shell
Details	Domain	39	www.helpnetsecurity.com
Details	File	16	stage1.exe
Details	File	20	stage2.exe
Details	File	2	tbopbh.exe
Details	File	6	frkmlkdkdubkznbkmcf.dll
Details	File	1208	powershell.exe
Details	File	12	tbopbh.jpg
Details	File	1	tbobph.jpg
Details	File	1	%temp%\nmddfrqqrbyjeygggda.vbs
Details	File	3	%temp%\advancedrun.exe
Details	File	23	c:\windows\system32\sc.exe
Details	File	351	recycle.bin
Details	md5	8	5d5c99a08a7d927346ca2dafa7973fc1
Details	md5	8	14c8482f302b5e81e3fa1b18a509289d
Details	md5	9	e61518ae9454a563b8f842286bbdb87b
Details	md5	7	b3370eb3c5ef6c536195b3bea0120929
Details	md5	4	343fcded2aaf874342c557d3d5e5870d
Details	sha1	3	189166d382c73c242ba45889d57980548d4ba37e
Details	sha1	3	16525cb2fd86dce842107eb1ba6174b23f188537
Details	sha1	3	82d29b52e35e7938e7ee610c04ea9daaf5e08e90
Details	sha1	4	b2d863fc444b99c479859ad7f012b840f896172e
Details	sha1	4	8be3c66aecd425f1f123aadc95830de49d1851b5
Details	sha256	20	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Details	sha256	21	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Details	sha256	12	9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
Details	sha256	12	923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
Details	sha256	5	191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
Details	IPv4	1	1.2.2.6
Details	IPv4	9	111.111.111.111
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	93	T1485
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	492	T1105
Details	Url	5	https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/tbopbh.jpg
Details	Url	1	https://www.helpnetsecurity.com/2017/08/14/pseudo-ransomware