Konni组织针对虚拟货币行业投递AutoIt恶意软件
Tags
attack-pattern: | Powershell - T1059.001 Software - T1592.002 Powershell - T1086 |
Common Information
Type | Value |
---|---|
UUID | c4e42507-5986-48ae-887c-d62dab3f386e |
Fingerprint | fdfb457db9a412f9 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | March 25, 2024, midnight |
Added to db | Dec. 19, 2024, 11:44 a.m. |
Last updated | Dec. 24, 2024, 10:54 a.m. |
Headline | Konni组织针对虚拟货币行业投递AutoIt恶意软件 |
Title | Konni组织针对虚拟货币行业投递AutoIt恶意软件 |
Detected Hints/Tags/Attributes | 13/1/67 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://www.secrss.com/articles/64676 |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 1 | settlors.com |
|
Details | Domain | 1 | nasions.com |
|
Details | Domain | 1 | shakuss.com |
|
Details | Domain | 2 | goosess.com |
|
Details | Domain | 2 | stuckss.com |
|
Details | Domain | 2 | oryzanine.com |
|
Details | Domain | 24 | www.genians.co.kr |
|
Details | Domain | 202 | asec.ahnlab.com |
|
Details | Domain | 6752 | 163.com |
|
Details | File | 1 | 目录后执行其中的start.vbs |
|
Details | File | 23 | start.vbs |
|
Details | File | 1 | 启动09402649.bat |
|
Details | File | 1 | 09402649.bat |
|
Details | File | 1 | 将start.vbs |
|
Details | File | 1 | 运行95060869.bat |
|
Details | File | 1 | 运行34631202.bat |
|
Details | File | 1 | 运行42736915.bat |
|
Details | File | 1 | 95060869.bat |
|
Details | File | 1 | 调用36980785.bat |
|
Details | File | 74 | get.php |
|
Details | File | 1 | 解压后执行其中的1.bat |
|
Details | File | 1 | 34631202.bat |
|
Details | File | 1 | 调用14886621.bat |
|
Details | File | 106 | upload.php |
|
Details | File | 1 | 42736915.bat |
|
Details | File | 70 | list.php |
|
Details | File | 1 | 解压后执行其中的temprun.bat |
|
Details | File | 1 | 36980785.bat |
|
Details | File | 1 | 14886621.bat |
|
Details | File | 1 | 当36980785.bat |
|
Details | File | 1 | 和42736915.bat |
|
Details | File | 1 | 并留下upok.txt |
|
Details | File | 1 | 先执行其中的1.bat |
|
Details | File | 67 | 1.bat |
|
Details | File | 1 | 然后在该目录下释放update.vbs |
|
Details | File | 17 | update.vbs |
|
Details | File | 1 | 再运行压缩包中的start.bat |
|
Details | File | 1 | 而start.bat |
|
Details | File | 1 | 直接调用autoit.exe |
|
Details | File | 1 | au3脚本同目录下的配置文件setting.ini |
|
Details | File | 1 | 첨부1_성명_개인정보수집이용동의서.docx |
|
Details | File | 1313 | index.php |
|
Details | md5 | 1 | 1aac6272dd9b6d05fa256a89677e90b5 |
|
Details | md5 | 2 | 655893b1641565f8ea04da4d74116b8a |
|
Details | md5 | 1 | e9db0e7aeb35758c6512d692e938178a |
|
Details | md5 | 1 | ff44068ba6ed88e5391452cffb0983be |
|
Details | md5 | 1 | 7ee77ecd79b69a082750327b5750e6e4 |
|
Details | md5 | 1 | 64fbf63d29cb7e8d813702a2beeee856 |
|
Details | Url | 1 | http://settlors.com/get.php下载加密zip压缩包,解压后执行其中的1.bat文件 |
|
Details | Url | 1 | http://settlors.com/upload.php |
|
Details | Url | 1 | http://settlors.com/list.php下载cab文件,解压后执行其中的temprun.bat文件 |
|
Details | Url | 1 | http://settlors.com/get.php继续向受害者设备投递带有autoit恶意脚本的zip压缩包。根据压缩包中的文件修改时间,恶意脚本cdp.au3很可能在2023年12月就已经投入使用 |
|
Details | Url | 1 | https://nasions.com/v1/read/get.php |
|
Details | Url | 1 | http://shakuss.com/upload.php |
|
Details | Url | 1 | http://shakuss.com/list.php |
|
Details | Url | 1 | https://goosess.com/read/get.php |
|
Details | Url | 1 | http://stuckss.com/upload.php |
|
Details | Url | 1 | http://stuckss.com/list.php |
|
Details | Url | 94 | https://sandbox.ti.qianxin.com/sandbox/page |
|
Details | Url | 1 | http://settlors.com/get.php |
|
Details | Url | 1 | http://settlors.com/list.php |
|
Details | Url | 2 | http://oryzanine.com/index.php |
|
Details | Url | 1 | https://www.genians.co.kr/blog/threat_intelligence/bitcoin |
|
Details | Url | 2 | https://asec.ahnlab.com/en/59590 |
|
Details | Windows Registry Key | 200 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
|
Details | Windows Registry Key | 1 | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User |
|
Details | Windows Registry Key | 23 | HKCU\Software\Microsoft\Internet |