“魔罗桫”组织以巴基斯坦科研招聘为诱饵的攻击活动分析
Tags
Common Information
| Type | Value |
|---|---|
| UUID | bdfebd85-0c08-4740-bd0a-750c54142df8 |
| Fingerprint | 1f48210066ee6893 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Nov. 17, 2020, midnight |
| Added to db | Dec. 21, 2024, 1:32 a.m. |
| Last updated | Dec. 21, 2024, 4:29 a.m. |
| Headline | “魔罗桫”组织以巴基斯坦科研招聘为诱饵的攻击活动分析 |
| Title | “魔罗桫”组织以巴基斯坦科研招聘为诱饵的攻击活动分析 |
| Detected Hints/Tags/Attributes | 7/0/49 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.secrss.com/articles/27101 |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 5 | recent.wordupdate.com |
|
| Details | Domain | 4 | wordupdate.com |
|
| Details | Domain | 101 | ti.qianxin.com |
|
| Details | Domain | 6752 | 163.com |
|
| Details | File | 4 | notification.docx |
|
| Details | File | 1 | 该文档中又携带了名为muka.dll |
|
| Details | File | 3 | muka.dll |
|
| Details | File | 13 | new.exe |
|
| Details | File | 1 | 加载执行的核心dll名为muder.dll |
|
| Details | File | 1 | muder.dll |
|
| Details | File | 1 | win10通过sdclt.exe |
|
| Details | File | 1 | 然后调用系统程序sdclt.exe |
|
| Details | File | 17 | dismcore.dll |
|
| Details | File | 1 | 将进程的path改成可信文件explorer.exe |
|
| Details | File | 1 | 调用com组件ifileoperation实现越权复制dismcore.dll |
|
| Details | File | 1 | 然后启动系统程序pkgmgr.exe |
|
| Details | File | 1 | 去加载恶意的dismcore.dll |
|
| Details | File | 7 | pkgmgr.exe |
|
| Details | File | 12 | winhost.exe |
|
| Details | File | 2 | program.bat |
|
| Details | File | 1 | 删除描述winhost.exe |
|
| Details | File | 1 | 若为x64系统则注入到cmd.exe |
|
| Details | File | 1 | 若为x86系统则注入到explore.exe |
|
| Details | File | 3 | testing.docx |
|
| Details | File | 1 | 69da886eecc7087e9dac2d3ea4c66ba8.pdf |
|
| Details | md5 | 2 | 37f78dd80716d3ecefc6a098a6871070 |
|
| Details | md5 | 2 | dd37460956de36c0dabb72a603d5f86c |
|
| Details | md5 | 2 | 5554be4fea7ae659b067550228788bdf |
|
| Details | md5 | 1 | 8eaa27c0aeffc71b1b9600878b49fb88 |
|
| Details | md5 | 1 | dabe22a829ebb327db3ebb68061711ad |
|
| Details | md5 | 2 | ad9fd1564dd1c6be54747e84444b8f55 |
|
| Details | md5 | 3 | 6b906764a35508a7fd266cdd512e46b1 |
|
| Details | md5 | 2 | c2528d0f946970e86e6ab9505a36d7b9 |
|
| Details | md5 | 1 | 37F78DD80716D3ECEFC6A098A6871070 |
|
| Details | md5 | 1 | DD37460956DE36C0DABB72A603D5F86C |
|
| Details | md5 | 1 | 5554BE4FEA7AE659B067550228788BDF |
|
| Details | md5 | 1 | 8EAA27C0AEFFC71B1B9600878B49FB88 |
|
| Details | md5 | 1 | DABE22A829EBB327DB3EBB68061711AD |
|
| Details | md5 | 1 | AD9FD1564DD1C6BE54747E84444B8F55 |
|
| Details | md5 | 1 | 6B906764A35508A7FD266CDD512E46B1 |
|
| Details | md5 | 1 | C2528D0F946970E86E6AB9505A36D7B9 |
|
| Details | md5 | 1 | 69da886eecc7087e9dac2d3ea4c66ba8 |
|
| Details | IPv4 | 2 | 23.82.140.14 |
|
| Details | Pdb | 3 | c:\users\admin\documents\dll\linknew\release\linknew.pdb |
|
| Details | Url | 1 | http://recent.wordupdate.com/ver/update12/kb466432 |
|
| Details | Url | 1 | http://recent.wordupdate.com/ver/update12/kb466432获取恶意荷载执行 |
|
| Details | Url | 1 | https://sandbox.ti.qianxin.com/sandbox/page进行简单判别 |
|
| Details | Url | 3 | http://wordupdate.com/recent/update |
|
| Details | Url | 1 | https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf |