ioc[.]one - OSINT Cyber Threat Intelligence Database

Cyber threat activity in Ukraine: analysis and resources – Microsoft Security Response Center

Tags

country:	Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Artificial Intelligence - T1588.007 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Mshta - T1170 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	a589d669-0bce-40c6-b7b6-3dd65cedfb9d
Fingerprint	67102f9b58f58097
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 28, 2022, midnight
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Cyber threat activity in Ukraine: analysis and resources
Title	Cyber threat activity in Ukraine: analysis and resources – Microsoft Security Response Center
Detected Hints/Tags/Attributes	95/3/18

Source URLs

	Redirection	Url
Details	Source	https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine
Details	Source	https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/

URL Provider

Details	Provider	Source level domain
Details	microsoft.com	msrc-blog.microsoft.com

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	2		help-for-ukraine.eu
Details	Domain	2		tokenukraine.com
Details	Domain	2		ukrainesolidarity.org
Details	Domain	2		ukraine-solidarity.com
Details	Domain	2		saveukraine.today
Details	Domain	2		supportukraine.today
Details	File	2		cdel.exe
Details	File	409		c:\windows\system32\cmd.exe
Details	File	1		c:\windows\cdel.exe
Details	File	14		sdelete.exe
Details	File	456		mshta.exe
Details	File	249		schtasks.exe
Details	sha256	1		a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59
Details	sha256	1		4ca63406ff189301ccbb54daa6e2da4bc5d03ffc1a8a9756717d95d26abc3906
Details	Mandiant Uncategorized Groups	65		UNC1151
Details	Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development)	51		DEV-0586
Details	Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development)	5		DEV-0665
Details	Yara rule	1		rule DesertBlade { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DesertBlade samples" hash = "a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59" strings: $s1 = "main.wipe\x00\x00" $s2 = "main.getRandomByte\x00\x00" $s3 = "main.drives\x00\x00" $s4 = "main.main.func3\x00\x00" $s5 = "walk.volumeNameLen\x00\x00" $s6 = "windows.GetLogicalDriveStrings\x00\x00" $s7 = "api.ExplicitAccess\x00\x00" $s8 = "go-acl.GrantSid\x00\x00" $s9 = "/src/w/w.go\x00\x00" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and filesize > 1MB and all of ($s*) }