HeptaX: Unauthorized RDP Connections For Cyberespionage Operations
Tags
cmtmf-attack-pattern: Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Abuse Elevation Control Mechanism - T1626 Abuse Elevation Control Mechanism - T1548 Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Bypass User Account Control - T1548.002 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Multi-Factor Authentication - T1556.006 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Remote Desktop Protocol - T1021.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Account Manipulation - T1098 Standard Application Layer Protocol - T1071 Bypass User Account Control - T1088 Command-Line Interface - T1059 Remote File Copy - T1105 Obfuscated Files Or Information - T1027 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Remote Desktop Protocol - T1076 Scheduled Task - T1053 Scripting - T1064 System Information Discovery - T1082 User Execution - T1204 Scripting User Execution
Common Information
Type Value
UUID cb2615f3-b50a-4626-99de-c5366cddc7c5
Fingerprint bc85a4136b278bc4
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 25, 2024, 10:57 a.m.
Added to db Oct. 25, 2024, 5:29 p.m.
Last updated Dec. 11, 2024, 8:12 a.m.
Headline HeptaX: Unauthorized RDP Connections for Cyberespionage Operations
Title HeptaX: Unauthorized RDP Connections For Cyberespionage Operations
Detected Hints/Tags/Attributes 103/3/58
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 98 Cyble https://cyble.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1394
twitter.com
Details File 2
202409_resident_care_quality_improvement_strategies_for_nursing_homes_enhancing_patient_satisfaction_and_health_outcomes.pdf
Details File 1
sow_for_nevrlate.pdf
Details File 1
webcontentwriting_handout.pdf
Details File 1
blockchain_trading_website_manager.docx
Details File 1
signature.pdf
Details File 1
stars.pdf
Details File 1
xihu.pdf
Details File 3
bb.ps1
Details File 2
id.log
Details File 2
get-command.php
Details File 6
b.ps1
Details File 1232
index.php
Details File 2
k1.bat
Details File 2
scheduler-once.bat
Details File 1
k2.bat
Details File 2
sysmon.bat
Details File 1
sysmon2.bat
Details File 10
a.ps1
Details File 1
c:\windows\temp\onedrivelog\onedrive.log
Details File 6
chromepass.exe
Details File 2196
cmd.exe
Details sha256 3
6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72
Details sha256 3
18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5
Details sha256 3
5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b
Details sha256 3
1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab
Details sha256 3
a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9
Details sha256 3
999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432
Details sha256 3
4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16
Details IPv4 3
157.173.104.153
Details MITRE ATT&CK Techniques 432
T1566
Details MITRE ATT&CK Techniques 110
T1204.001
Details MITRE ATT&CK Techniques 482
T1059.001
Details MITRE ATT&CK Techniques 643
T1027
Details MITRE ATT&CK Techniques 397
T1547.001
Details MITRE ATT&CK Techniques 82
T1548
Details MITRE ATT&CK Techniques 114
T1098
Details MITRE ATT&CK Techniques 1022
T1082
Details MITRE ATT&CK Techniques 129
T1555.003
Details MITRE ATT&CK Techniques 504
T1105
Details MITRE ATT&CK Techniques 466
T1071
Details Url 1
http://157.173.104.153/up/get-command.php?uid=
Details Url 1
http://157.173.104.153/up/index.php?uid=
Details Url 1
http://157.173.104.153/up/a.ps1
Details Url 2
http://157.173.104.153/up/index.php
Details Url 2
http://157.173.104.153/up/tool/chromepass.exe
Details Url 2
http://157.173.104.153/up/b.ps1
Details Url 2
http://157.173.104.153/up/bb.ps1
Details Url 2
http://157.173.104.153/up/scheduler-oncex
Details Url 2
http://157.173.104.153/up/trigger
Details Url 2
http://157.173.104.153/up/get-command.php
Details Url 2
http://157.173.104.153/up/bait/202409_resident_care_quality_improvement_strategies_for_nursing_homes_enhancing_patient_satisfaction_and_health_outcomes.pdf
Details Url 1
https://twitter.com/malwrhunterteam/status/1701669714244542758
Details Url 1
https://twitter.com/azakasekai_/status/1846482785009348692
Details Url 1
https://twitter.com/fmc_nan/status/1701427951714345296
Details Url 1
https://twitter.com/malwrhunterteam/status/1708219656488571188
Details Url 1
https://twitter.com/malwrhunterteam/status/1701672325580550176
Details Windows Registry Key 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wireless