奇安信威胁情报中心
Tags
| attack-pattern: | Regsvr32 - T1218.010 Software - T1592.002 Regsvr32 - T1117 |
Common Information
| Type | Value |
|---|---|
| UUID | bc466e92-c142-4d9b-b4d9-c6f4502d6b6a |
| Fingerprint | bf5fb134ad6c15a9 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 6, 2021, midnight |
| Added to db | Jan. 18, 2023, 10:39 p.m. |
| Last updated | Nov. 6, 2024, 4:32 p.m. |
| Headline | UNKNOWN |
| Title | 奇安信威胁情报中心 |
| Detected Hints/Tags/Attributes | 6/1/25 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 58 | ti.qianxin.com |
|
| Details | Domain | 3 | onedrive-upload.ikpoo.cf |
|
| Details | Domain | 3 | alps.travelmountain.ml |
|
| Details | Domain | 1 | pootbal.med |
|
| Details | Domain | 1 | ianewsonline.com |
|
| Details | File | 49 | nuxt.js |
|
| Details | File | 3 | hwp.js |
|
| Details | File | 1 | 该样本后缀为hwp.js |
|
| Details | File | 1 | b64及temp.db |
|
| Details | File | 3 | temp.db |
|
| Details | File | 1 | 同时通过powershell执行命令调用启动temp.db |
|
| Details | File | 1 | 释放temp.db |
|
| Details | File | 1 | c:\programdata\software\microsoft\windows\defender\autoupdate.dll |
|
| Details | File | 1 | 利用regsvr32.exe |
|
| Details | File | 1 | 加载autoupdate.dll |
|
| Details | File | 3 | autoupdate.dll |
|
| Details | File | 2 | ki.txt |
|
| Details | md5 | 3 | 3a4ab11b25961becece1c358029ba611 |
|
| Details | md5 | 1 | 14b95dc99e797c6c717bf68440eae720 |
|
| Details | md5 | 3 | 80a2bb7884b8bad4a8e83c2cb03ee343 |
|
| Details | md5 | 3 | 10b9702f8096afa8c928de6507f7ecfe |
|
| Details | md5 | 2 | 199674e87f437bdbd68884b155346d25 |
|
| Details | Mandiant Temporary Group Assumption | 3 | TEMP.DB |
|
| Details | Url | 24 | https://ti.qianxin.com |
|
| Details | Url | 1 | http://pootbal.med/ianewsonline.com/ro/ki.txt |