Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware | CTF导航
Tags
cmtmf-attack-pattern: Masquerading Process Injection
country: Bulgaria Netherlands
maec-delivery-vectors: Watering Hole
attack-pattern: Data Model Clear Windows Event Logs - T1070.001 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Dll Side-Loading - T1574.002 Dns - T1071.004 Dns - T1590.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Drive-By Compromise - T1456 Dynamic-Link Library Injection - T1055.001 Encrypted/Encoded File - T1027.013 Exfiltration Over Alternative Protocol - T1639 Hooking - T1617 Ingress Tool Transfer - T1544 Inhibit System Recovery - T1490 Ip Addresses - T1590.005 Lateral Tool Transfer - T1570 Local Account - T1087.001 Local Account - T1136.001 Local Groups - T1069.001 Lsass Memory - T1003.001 Malicious File - T1204.002 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Pass The Hash - T1550.002 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Remote Desktop Protocol - T1021.001 Safe Mode Boot - T1562.009 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Ssh - T1021.004 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Winlogon Helper Dll - T1547.004 Tool - T1588.002 Account Manipulation - T1098 Connection Proxy - T1090 Credential Dumping - T1003 Data From Network Shared Drive - T1039 Dll Side-Loading - T1073 Drive-By Compromise - T1189 Exfiltration Over Alternative Protocol - T1048 Hooking - T1179 Remote File Copy - T1105 Masquerading - T1036 Network Share Discovery - T1135 Pass The Hash - T1075 Powershell - T1086 Process Injection - T1055 Remote Desktop Protocol - T1076 Remote System Discovery - T1018 Scheduled Task - T1053 Service Execution - T1035 Winlogon Helper Dll - T1004 Windows Management Instrumentation - T1047 Drive-By Compromise Hooking Masquerading Remote System Discovery
Show in Graph
Common Information
Type Value
UUID d6de007c-2e2d-4e2c-9201-84c2aecd9a91
Fingerprint 8469a5df2d8a8cc3
Analysis status DONE
Considered CTI value -2
Text language
Published Oct. 10, 2024, midnight
Added to db Oct. 8, 2024, 5:42 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Title Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware | CTF导航
Detected Hints/Tags/Attributes 192/4/182
Source URLs
Redirection Url
Details Source https://www.ctfiot.com/204386.html
URL Provider
Details Provider Source level domain
Details ctfiot.com www.ctfiot.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 426 CTF导航 https://www.ctfiot.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
version.zip
Details Domain 3 
slv.py
Details Domain 2 
wo14.py
Details Domain 2 
wo12.py
Details Domain 2 
com.amazon.csm.csa.prod
Details Domain 87 
www.amazon.com
Details Domain 58 
www.cloudflare.com
Details Domain 57 
hunt.io
Details Domain 2 
restic.rest
Details Domain 2 
worksliv.py
Details Domain 10 
detection.fyi
Details Domain 9 
sigmasearchengine.com
Details File 2 
version.zip
Details File 208 
setup.exe
Details File 6 
python311.dll
Details File 1 
加载隐藏python311.dll
Details File 65 
python.exe
Details File 3 
slv.py
Details File 2 
wo14.py
Details File 2 
wo12.py
Details File 2 
c:\windows\adfs\py\updateedge.bat
Details File 2 
c:\users\redacted\appdata\local\notepad\upedge.bat
Details File 2 
c:\users\redacted\appdata\local\notepad\updateedge.bat
Details File 2 
c:\users\redacted\appdata\local\notepad\updateeg.bat
Details File 2 
windowstempupdate.exe
Details File 2 
updateedge.bat
Details File 1 
威胁行为者updateedge.bat
Details File 1 
以确保每当用户登录系统时都能执行updateedge.bat
Details File 2125 
cmd.exe
Details File 9 
c:\windows\system32\userinit.exe
Details File 1 
初始负载setup.exe
Details File 212 
winlogon.exe
Details File 1 
来自滩头阵地主机的注入cmd.exe
Details File 1 
的访问掩码打开winlogon.exe
Details File 2 
srv.txt
Details File 2 
amazon.cs
Details File 2 
m.cs
Details File 2 
%windir%\syswow64\gpupdate.exe
Details File 2 
%windir%\sysnative\gpupdate.exe
Details File 533 
ntdll.dll
Details File 748 
kernel32.dll
Details File 3 
restic.exe
Details File 2 
ppp.txt
Details File 3 
up.bat
Details File 61 
1.bat
Details File 1 
使用以下命令在域控制器上远程执行up.bat
Details File 12 
psexec64.exe
Details File 3 
pc.txt
Details File 2 
c:\example.exe
Details File 20 
c:\windows\syswow64\cmd.exe
Details File 409 
c:\windows\system32\cmd.exe
Details File 2 
c:\windows\temp\2-redacted-51.exe
Details File 18 
iisreset.exe
Details File 345 
vssadmin.exe
Details File 240 
wmic.exe
Details File 95 
wevtutil.exe
Details File 7 
example.exe
Details File 1 
威胁行为者执行了二进制example.exe
Details File 2 
worksliv.py
Details File 2 
updateeg.bat
Details File 2 
2-redacted-51.exe
Details File 2 
domain_name.exe
Details File 49 
nltest.exe
Details md5 23 
72a589da586844d7f0818ce684948eea
Details md5 15 
f176ba63b4d68e576b5ba345bec2c7b7
Details md5 2 
1329384dfdcfde2228da94e2a042f2b4
Details md5 2 
f27a9b7c29960aaf911f2885b40536c2
Details md5 3 
19e29534fd49dd27d09234e639c4057e
Details md5 3 
f4febc55ea12b31ae17cfb7e614afda8
Details md5 2 
d6828e30ab66774a91a96ae93be4ae4c
Details md5 2 
DBF5F56998705C37076B6CAE5D0BFB4D
Details md5 2 
EB64862F1C8464CA3D03CF0A4AC608F4
Details md5 2 
3A4FDBC642A24A240692F9CA70757E9F
Details md5 2 
7A4CB8261036F35FD273DA420BF0FD5E
Details md5 2 
1BE7FE8E20F8E9FDC6FD6100DCAD38F3
Details md5 2 
4232C065029EB52D1B4596A08568E800
Details md5 2 
637FB65A1755C4B6DC1E0428E69B634E
Details md5 2 
0B1882F719504799B3211BF73DFDC253
Details md5 2 
E20FC97E364E859A2FB58D66BC2A1D05
Details md5 2 
C737A137B66138371133404C38716741
Details md5 2 
7A1E7F652055C812644AD240C41D904A
Details md5 2 
E0D1CF0ABD09D7632F79A8259283288D
Details sha1 3 
e6ab3c595ac703afd94618d1ca1b8ebce623b21f
Details sha1 3 
6f43e6388b64998b7aa7411104b955a8949c4c63
Details sha1 3 
794203a4e18f904f0d244c7b3c2f5126b58f6a21
Details sha1 3 
9648559769179677c5b58d5619ca8872f5086312
Details sha1 3 
c4cde794cf4a68d63617458a60bc8b90d99823ca
Details sha1 3 
79818110abd52ba14800cdff39eca3252412b232
Details sha1 3 
fba4652b6dbe0948d4dadcebf51737a738ca9e67
Details sha1 3 
448892d5607124fdd520f62ff0bc972df801c046
Details sha1 3 
f5f56413f81e8f4a941f53e42a90ba1720823f15
Details sha1 3 
a3e4fb487400d99e3a9f3523aeaa9af5cf6e128b
Details sha1 3 
b39c244c3117f516ce5844b2a843eff1e839207c
Details sha1 3 
3a78ce27a7aa16a8230668c644c7df308de6cf33
Details sha256 3 
5dc8b08c7e1b11abf2b6b311cd7e411db16a7c3827879c6f93bd0dac7a71d321
Details sha256 3 
726f038c13e4c90976811b462e6d21e10e05f7c11e35331d314c546d91fa6d21
Details sha256 3 
5f7d438945306bf8a7f35cab0e2acc80cdc9295a57798d8165ef6d8b86fbb38d
Details sha256 3 
4ef1009923fc12c2a3127c929e0aa4515c9f4d068737389afb3464c28ccf5925
Details sha256 3 
4ee4e1e2cedf59a802c01fae9ccfcfde3e84764c72e7d95b97992addd6edf527
Details sha256 3 
3298629de0489c12e451152e787d294753515855dbf1ce80bfcded584a84ac62
Details sha256 3 
b3b1ff7e3d1d4f438e40208464cebfb641b434f5bf5cf18b7cec2d189f52c1b6
Details sha256 3 
39ec2834494f384028ad17296f70ed6608808084ef403714cfbc1bfbbed263d4
Details sha256 3 
9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63
Details sha256 3 
25172a046821bd04e74c15dc180572288c67fdff474bdb5eb11b76dce1b3dad3
Details sha256 3 
5fac60f1e97b6eaae18ebd8b49b912c86233cf77637590f36aa319651582d3c4
Details sha256 3 
d15cab3901e9a10af772a0a1bdbf35b357ee121413d4cf542d96819dc4471158
Details IPv4 3 
91.92.250.65
Details IPv4 3 
91.92.250.60
Details IPv4 4 
118.0.0.0
Details IPv4 2 
91.92.240.175
Details IPv4 2 
91.92.240.194
Details IPv4 2 
91.92.241.117
Details IPv4 2 
91.92.242.182
Details IPv4 2 
91.92.242.39
Details IPv4 2 
91.92.242.55
Details IPv4 2 
91.92.245.174
Details IPv4 2 
91.92.245.175
Details IPv4 2 
91.92.247.123
Details IPv4 2 
91.92.247.127
Details IPv4 2 
91.92.249.110
Details IPv4 2 
91.92.250.148
Details IPv4 2 
91.92.250.158
Details IPv4 2 
91.92.250.66
Details IPv4 2 
91.92.251.240
Details IPv4 2 
94.156.67.175
Details IPv4 2 
94.156.67.180
Details IPv4 2 
94.156.67.185
Details IPv4 2 
94.156.67.188
Details IPv4 2 
141.98.6.195
Details IPv4 2 
193.42.33.14
Details IPv4 2 
194.180.48.165
Details IPv4 2 
194.180.48.42
Details IPv4 2 
194.49.94.21
Details IPv4 2 
194.49.94.22
Details IPv4 2 
185.73.124.238
Details IPv4 3 
194.49.94.18
Details IPv4 3 
194.169.175.134
Details IPv4 3 
195.123.226.84
Details IPv4 3 
91.92.245.26
Details MITRE ATT&CK Techniques 112 
T1098
Details MITRE ATT&CK Techniques 92 
T1070.001
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 67 
T1039
Details MITRE ATT&CK Techniques 227 
T1574.002
Details MITRE ATT&CK Techniques 74 
T1069.002
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 183 
T1189
Details MITRE ATT&CK Techniques 59 
T1055.001
Details MITRE ATT&CK Techniques 13 
T1027.013
Details MITRE ATT&CK Techniques 92 
T1048
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 276 
T1490
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 72 
T1087.001
Details MITRE ATT&CK Techniques 32 
T1069.001
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 348 
T1036
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 59 
T1059.006
Details MITRE ATT&CK Techniques 160 
T1021.001
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 28 
T1562.009
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 20 
T1547.004
Details Url 5 
https://www.amazon.com
Details Url 4 
https://www.cloudflare.com
Details Url 2 
http://195.123.226.84:8000
Details Windows Registry Key 7 
HKLM\software\microsoft\windows
Details Windows Registry Key 3 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Details Windows Registry Key 164 
HKLM\SOFTWARE\Microsoft\Windows
Details Windows Registry Key 2 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\15991160457623399845550968347370640942
Details Windows Registry Key 2 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\15991160457623399845550968347370640942
Details Windows Registry Key 17 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters