ioc[.]one - OSINT Cyber Threat Intelligence Database

Разбираем знакомые инструменты в атаках хактивистов Crypt Ghouls

Tags

attack-pattern:

Data Ntds - T1003.003 Odbcconf - T1218.008 Powershell - T1059.001 Rundll32 - T1218.011 Ssh - T1021.004 Tool - T1588.002 Powershell - T1086 Rundll32 - T1085

Show in Graph

Common Information

Type	Value
UUID	d297de90-cb09-4e90-b133-fe15c5049bde
Fingerprint	7612d4b3dbabcb6b
Analysis status	DONE
Considered CTI value	1
Text language
Published	Oct. 18, 2024, 1 p.m.
Added to db	Oct. 18, 2024, 12:31 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Анализ группы Crypt Ghouls: продолжаем исследовать серию атак на Россию
Title	Разбираем знакомые инструменты в атаках хактивистов Crypt Ghouls
Detected Hints/Tags/Attributes	40/1/67

Source URLs

	Redirection	Url
Details	Source	https://securelist.ru/crypt-ghouls-hacktivists-tools-overlap-analysis/110808/

URL Provider

Details	Provider	Source level domain
Details	securelist.ru	securelist.ru

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	224	✔	Securelist	https://securelist.ru/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	3	localtonet.com
Details	Domain	3	nssm-2.24.zip
Details	Domain	3	localtonet-win-64.zip
Details	Domain	49	wmiexec.py
Details	Domain	4127	github.com
Details	Domain	2	netstaticpoints.com
Details	File	2	24.zip
Details	File	2	localtonet-win-64.zip
Details	File	2126	cmd.exe
Details	File	2	c:\programdata\allinone2023\xenallpasswordpro.exe
Details	File	2	c:\programdata\report.html
Details	File	2	c:\programdata\dbg\allinone2023\xenallpasswordpro.exe
Details	File	2	c:\programdata\1c\allinone2023\xenallpasswordpro.exe
Details	File	2	xenallpasswordpro.exe
Details	File	2	c:\intel\xenallpasswordpro.exe
Details	File	142	wmiprvse.exe
Details	File	45	wmiexec.py
Details	File	14	c:\windows\system32\wbem\wmiprvse.exe
Details	File	2	intellpui.vbs
Details	File	3	c:\windows\system32\rdpclip.exe
Details	File	2	c:\programdata\1c\2c.txt
Details	File	92	c:\windows\system32\svchost.exe
Details	File	2	kjzcehld.tmp
Details	File	1018	rundll32.exe
Details	File	478	lsass.exe
Details	File	38	lsass.dmp
Details	File	7	dumper.ps1
Details	File	2	gpo_compliance.ps1
Details	File	17	t.exe
Details	File	2	kxxxxxxx.sys
Details	File	1208	powershell.exe
Details	File	59	ntdsutil.exe
Details	File	2	c:\programdata\microsoft\vault\dabbf27c-37ef-9946-a3d3- 7aaaebce7577 powershell.exe
Details	File	7	7zr.exe
Details	File	2	c:\programdata\ad.7z
Details	File	2	c:\programdata\microsoft\vault\4c6b60eb-eafe-ab9b-adfa-ed24b2398e0c powershell.exe
Details	File	39	anydesk.exe
Details	File	2	c:\windows\temp\localtonet.exe
Details	File	22	dism.exe
Details	File	11	dismcore.dll
Details	File	2	odbcconf.xml
Details	File	351	recycle.bin
Details	File	196	desktop.ini
Details	File	2	с:\programdata\oracle\dismcore.dll
Details	File	2	c:\users\user\downloads\dumper.ps1
Details	File	2	c:\users\user\desktop\x86\x64\mimikatz.exe
Details	File	2	с:\programdata\allinone2023\xenallpasswordpro.exe
Details	File	2	с:\programdata\dbg\allinone2023\xenallpasswordpro.exe
Details	File	2	с:\programdata\1c\allinone2023\xenallpasswordpro.exe
Details	File	13	nssm.exe
Details	File	2	c:\programdata\t.exe
Details	File	2	c:\users\user\appdata\local\temp\kxxxxxxx.sys
Details	File	2	c:\windows\temp\kxxxxxxx.sys
Details	File	2	c:\programdata\intell\intellpui.vbs
Details	Github username	2	ip7z
Details	md5	2	F4A84D6F1CAF0875B50135423D04139F
Details	IPv4	3	91.142.73.178
Details	IPv4	3	45.11.181.152
Details	IPv4	3	169.150.197.10
Details	IPv4	3	169.150.197.18
Details	IPv4	3	91.142.74.87
Details	IPv4	3	95.142.47.157
Details	IPv4	3	185.231.155.124
Details	Url	2	http://localtonet.com/nssm-2.24.zip
Details	Url	2	http://localtonet.com/download/localtonet-win-64.zip
Details	Url	2	https://github.com/ip7z/7zip/releases/download/23.01/7zr.exe
Details	Windows Registry Key	14	HKLM\SECURITY