ioc[.]one - OSINT Cyber Threat Intelligence Database

A Truly Graceful Wipe Out - The DFIR Report

Tags

cmtmf-attack-pattern:	Masquerading Process Injection Traffic Distribution
country:	Chile
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Model Botnet - T1583.005 Botnet - T1584.005 Command Obfuscation - T1027.010 Create Or Modify System Process - T1543 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Disk Structure Wipe - T1561.002 Disk Structure Wipe - T1487 Dns - T1071.004 Dns - T1590.002 Domain Account - T1087.002 Domain Account - T1136.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Exfiltration Over Alternative Protocol - T1639 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 Fileless Storage - T1027.011 Local Data Staging - T1074.001 Local Groups - T1069.001 Lsass Memory - T1003.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Process Discovery - T1424 Msiexec - T1218.007 Pass The Hash - T1550.002 Powershell - T1059.001 Process Injection - T1631 Rundll32 - T1218.011 Scheduled Task - T1053.005 Security Account Manager - T1003.002 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Ssh - T1021.004 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Connection Proxy - T1090 Credential Dumping - T1003 Custom Command And Control Protocol - T1094 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Alternative Protocol - T1048 File And Directory Discovery - T1083 Masquerading - T1036 New Service - T1050 Pass The Hash - T1075 Powershell - T1086 Process Discovery - T1057 Process Injection - T1055 Query Registry - T1012 Remote System Discovery - T1018 Rundll32 - T1085 Scheduled Task - T1053 Security Software Discovery - T1063 Spearphishing Link - T1192 System Owner/User Discovery - T1033 Windows Management Instrumentation - T1047 Valid Accounts - T1078 Masquerading Remote System Discovery Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	ac9e3843-493e-4501-8594-5000ceed56fe
Fingerprint	a32c95f5a9248601
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 12, 2023, 1:06 a.m.
Added to db	Oct. 22, 2023, 10:42 p.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	A Truly Graceful Wipe Out
Title	A Truly Graceful Wipe Out - The DFIR Report
Detected Hints/Tags/Attributes	209/4/112

Source URLs

	Redirection	Url
Details	Source	https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

URL Provider

Details	Provider	Source level domain
Details	thedfirreport.com	thedfirreport.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	249	✔	The DFIR Report	https://thedfirreport.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	243	cve-2023-34362
Details	CVE	17	cve-2021-35211
Details	Domain	5	hrcbishtek.com
Details	Domain	5	imsagentes.pe
Details	Domain	5	ecorfan.org
Details	Domain	5	essadonio.com
Details	Domain	16	atexec.py
Details	Domain	1	www.essadonio.com
Details	Domain	4127	github.com
Details	File	269	msiexec.exe
Details	File	1122	svchost.exe
Details	File	53	adfind.exe
Details	File	4	document_may_24_16654.exe
Details	File	2	c:\intel\runtimebroker.exe
Details	File	409	c:\windows\system32\cmd.exe
Details	File	2125	cmd.exe
Details	File	14	beacon.dll
Details	File	131	spoolsv.exe
Details	File	46	runtimebroker.exe
Details	File	249	schtasks.exe
Details	File	13	taskschd.dll
Details	File	3	c.dll
Details	File	1	icuin.dll
Details	File	1	c:\programdata\servers_live.txt
Details	File	1	c:\programdata\servers_live_netview.txt
Details	File	1	c:\programdata\servers_live_dir.txt
Details	File	1	c:\programdata\hosts.txt
Details	File	1	c:\programdata\hosts_live.txt
Details	File	1	c:\programdata\servers.txt
Details	File	88	1.txt
Details	File	3	c:\programdata\1.txt
Details	File	14	atexec.py
Details	File	1	c:\windows\temp\kmzfgwgn.tmp
Details	File	2	1.csv
Details	File	1	person.csv
Details	File	1	c:\programdata\1.csv
Details	File	1	c:\programdata\person.csv
Details	File	18	ga.js
Details	File	44	submit.php
Details	File	21	%windir%\\syswow64\\rundll32.exe
Details	File	21	%windir%\\sysnative\\rundll32.exe
Details	File	1	c:\programdata\chrome.exe
Details	File	533	ntdll.dll
Details	File	10	'ntdll.dll
Details	File	57	system.dll
Details	File	271	chrome.exe
Details	File	256	net.exe
Details	File	240	wmic.exe
Details	Github username	19	the-dfir-report
Details	md5	26	a0e9f5d64349fb13191bc781f81f42e1
Details	md5	3	f14f2862ee2df5d0f63a88b60c8eee56
Details	md5	3	f33734dfbbff29f68bcde052e523c287
Details	md5	23	72a589da586844d7f0818ce684948eea
Details	md5	15	f176ba63b4d68e576b5ba345bec2c7b7
Details	md5	5	6164e9d297d29aa8682971259da06848
Details	md5	5	12011c44955fd6631113f68a99447515
Details	md5	2	2dc57a3836e4393d4d16c4eb04bf9c7e
Details	md5	2	fbe295e5a1acfbd0a6271898f885fe6a
Details	sha1	5	96b95edc1a917912a3181d5105fd5bfad1344de0
Details	sha1	5	4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d
Details	sha1	2	c6a5b345cef4eb795866ba81dcac9bd933fdd86d
Details	sha1	2	d6d205922e61635472efb13c2bb92c9ac6cb96da
Details	sha256	5	717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb
Details	sha256	14	c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
Details	sha256	4	121a1f64fff22c4bfcef3f11a23956ed403cdeb9bdb803f9c42763087bd6d94e
Details	sha256	2	a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
Details	IPv4	5	5.188.86.18
Details	IPv4	9	92.118.36.199
Details	IPv4	5	5.188.206.78
Details	IPv4	6	45.182.189.71
Details	IPv4	5	81.19.135.30
Details	IPv4	5	139.60.160.166
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	15	T1561.002
Details	MITRE ATT&CK Techniques	92	T1048
Details	MITRE ATT&CK Techniques	183	T1036.005
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	8	T1027.011
Details	MITRE ATT&CK Techniques	25	T1027.010
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	23	T1094
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	74	T1069.002
Details	MITRE ATT&CK Techniques	32	T1069.001
Details	MITRE ATT&CK Techniques	124	T1482
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	99	T1087.002
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	243	T1018
Details	MITRE ATT&CK Techniques	141	T1518.001
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	139	T1021.002
Details	MITRE ATT&CK Techniques	49	T1074.001
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	38	T1550.002
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	180	T1543.003
Details	MITRE ATT&CK Techniques	43	T1003.002
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development)	39	DEV-0950
Details	Threat Actor Identifier - FIN	127	FIN11
Details	Url	5	https://hrcbishtek.com
Details	Url	5	https://imsagentes.pe/dgrjfj
Details	Url	5	https://ecorfan.org/base/sj/document_may_24_16654.exe
Details	Url	1	https://github.com/the-dfir-report/suricata-rules/blob/main/rules/truebot.rules
Details	Url	1	https://github.com/the-dfir-report/yara-rules/blob/main/21619/21619.yar
Details	Windows Registry Key	1	HKLM\Classes\CLSID
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Spooler\RequiredPrivileges