ioc[.]one - OSINT Cyber Threat Intelligence Database

A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion

Tags

cmtmf-attack-pattern:	Boot Or Logon Autostart Execution Command And Scripting Interpreter Masquerading Obfuscated Files Or Information Process Injection Scheduled Task/Job
country:	China
attack-pattern:	Data Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Create Or Modify System Process - T1543 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Credentials In Files - T1552.001 Distributed Component Object Model - T1021.003 Dll Search Order Hijacking - T1574.001 Domain Account - T1087.002 Domain Account - T1136.002 Domain Accounts - T1078.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Downgrade Attack - T1562.010 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Exploitation For Client Execution - T1658 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Files And Directories - T1564.001 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal On Host - T1630 Input Capture - T1417 Internal Proxy - T1090.001 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 System Network Configuration Discovery - T1422 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Ntds - T1003.003 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Remote Data Staging - T1074.002 Remote Desktop Protocol - T1021.001 Rename System Utilities - T1036.003 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Windows Remote Management - T1021.006 Windows Command Shell - T1059.003 Timestomp - T1070.006 Web Shell - T1505.003 Windows Service - T1543.003 Unsecured Credentials - T1552 Windows Credential Manager - T1555.004 Tool - T1588.002 Account Discovery - T1087 Automated Collection - T1119 Command-Line Interface - T1059 Distributed Component Object Model - T1175 Connection Proxy - T1090 Credential Dumping - T1003 Credentials In Files - T1081 Data Staged - T1074 Dll Search Order Hijacking - T1038 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Exploitation For Client Execution - T1203 File And Directory Discovery - T1083 File Deletion - T1107 Hidden Files And Directories - T1158 Indicator Removal On Host - T1070 Input Capture - T1056 Masquerading - T1036 Modify Registry - T1112 Network Share Discovery - T1135 New Service - T1050 Obfuscated Files Or Information - T1027 Permission Groups Discovery - T1069 Powershell - T1086 Process Hollowing - T1093 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Remote Services - T1021 Remote System Discovery - T1018 Scheduled Task - T1053 System Network Configuration Discovery - T1016 Windows Remote Management - T1028 Windows Management Instrumentation - T1047 Valid Accounts - T1078 Timestomp - T1099 Web Shell - T1100 Automated Collection Indicator Removal On Host Masquerading Remote System Discovery Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	ac88ed18-9137-42ba-9169-cd1d796489ca
Fingerprint	3e37265b4caf80d9
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 30, 2022, 8:40 a.m.
Added to db	Sept. 30, 2022, 4 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Title	A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detected Hints/Tags/Attributes	200/3/98

Source URLs

	Redirection	Url
Details	Source	https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/

URL Provider

Details	Provider	Source level domain
Details	nccgroup.com	research.nccgroup.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	163	✔	—	https://media.cert.europa.eu/rss?type=category&id=Malware&language=en&duplicates=false	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	23	cve-2022-29464
Details	Domain	98	www.secureworks.com
Details	Domain	19	www.pwc.co.uk
Details	File	226	certutil.exe
Details	File	39	secur32.dll
Details	File	2	tree.exe
Details	File	1	bvrpdiag.exe
Details	File	1	bvrpdiag.dll
Details	File	1	modemmoh.dll
Details	File	1	c:\windows\system32\spool\drivers\color\k7avwscn.dll
Details	File	1	c:\windows\system32\spool\drivers\color\k7avwscn.doc
Details	File	1	c:\windows\system32\spool\drivers\color\k7avwscn.exe
Details	File	1	c:\windows\system32\spool\drivers\color\secur32.dll
Details	File	1	c:\windows\system32\spool\drivers\color\windowsupdate.exe
Details	File	1	c:\windows\temp\winlog\secur32.dll
Details	File	1	c:\windows\temp\winlog\windowsevents.exe
Details	File	1	c:\programdata\7z.dll
Details	File	1	c:\programdata\7z.exe
Details	File	1	c:\users\public\adfind.exe
Details	File	1	c:\users\public\nbtscan.exe
Details	File	1	c:\users\public\start.bat
Details	File	1	c:\users\public\t\64.exe
Details	File	1	c:\users\public\t\7z.exe
Details	File	1	c:\users\public\t\browser.exe
Details	File	1	c:\users\public\t\nircmd.exe
Details	File	1	c:\users\public\t\test.bat
Details	File	1	c:\users\public\test.bat
Details	File	1	c:\users\public\test.exe
Details	File	1	c:\users\public\test\registry\security file path staging location for registry dump c:\users\public\test\registry\system file path staging location for registry dump c:\users\public\webbrowserpassview.exe
Details	File	1	c:\windows\debug\adprep\p.bat
Details	File	1	c:\windows\system32\spool\drivers\affair.exe
Details	File	1	c:\windows\system32\spool\drivers\color\sessiongopher.ps1
Details	File	1	c:\windows\system32\spool\drivers\color\tt.bat
Details	File	1	c:\windows\temp\best.exe
Details	File	1	ip445.ps1
Details	File	1	ip445.txt
Details	File	9	nbtscan.exe
Details	File	10	webbrowserpassview.exe
Details	File	27	procdump.exe
Details	File	53	adfind.exe
Details	File	4	chasing-shadows.html
Details	md5	1	1A9115B2D21384C6DA3C21FCCA5201A4
Details	md5	1	D1D0E39004FA8138E2F2C4157FA3B44B
Details	md5	1	54B419C2CAC1A08605936E016D460697
Details	md5	1	B426C17B99F282C13593954568D86863
Details	md5	1	7504DEA93DB3B8417F16145E8272BA08
Details	md5	1	D99B22020490ECC6F0237EFB2C3DEF27
Details	md5	1	1E6E936A0A862F18895BC7DD6F607EB4
Details	md5	1	A6A19804248E9CC5D7DE5AEA86590C63
Details	md5	1	4BFE4975CEAA15ED0031941A390FAB55
Details	md5	1	87F9D1DE3E549469F918778BD637666D
Details	md5	1	8E9F8E8AB0BEF7838F2A5164CF7737E4
Details	sha256	1	009f24bccea54128c2344e03cee577e12504dd569c8b48ab8b7ead5249778643
Details	sha256	1	5f336a90564002be360df63106aa7a7568829c6c084e793d6dc93a896c476204
Details	sha256	1	ff98efb4c7680726bf336cec477777bb3beb73c7baa1a5a574c39e7f4e804585
Details	IPv4	619	0.0.0.0
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	480	T1053
Details	MITRE ATT&CK Techniques	245	T1203
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	180	T1543.003
Details	MITRE ATT&CK Techniques	71	T1078.002
Details	MITRE ATT&CK Techniques	4	T1562.010
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	32	T1036.003
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	MITRE ATT&CK Techniques	94	T1564.001
Details	MITRE ATT&CK Techniques	70	T1574.001
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	8	T1555.004
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	89	T1552.001
Details	MITRE ATT&CK Techniques	152	T1056
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	176	T1135
Details	MITRE ATT&CK Techniques	99	T1087.002
Details	MITRE ATT&CK Techniques	124	T1482
Details	MITRE ATT&CK Techniques	65	T1069
Details	MITRE ATT&CK Techniques	243	T1018
Details	MITRE ATT&CK Techniques	160	T1021.001
Details	MITRE ATT&CK Techniques	139	T1021.002
Details	MITRE ATT&CK Techniques	30	T1021.006
Details	MITRE ATT&CK Techniques	10	T1021.003
Details	MITRE ATT&CK Techniques	111	T1119
Details	MITRE ATT&CK Techniques	20	T1074.002
Details	MITRE ATT&CK Techniques	118	T1056.001
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	35	T1090.001
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	2	https://www.secureworks.com/research/shadowpad-malware-analysis
Details	Url	3	https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html