No “Game over” for the Winnti Group | WeLiveSecurity
Tags
cmtmf-attack-pattern: Process Injection
country: Hong Kong South Korea Taiwan
maec-delivery-vectors: Watering Hole
attack-pattern: Data Bypass User Account Control - T1548.002 Code Signing - T1553.002 Domains - T1583.001 Domains - T1584.001 Impersonation - T1656 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Process Discovery - T1424 Parent Pid Spoofing - T1134.004 Parent Pid Spoofing - T1502 Print Processors - T1547.012 Process Injection - T1631 Screen Capture - T1513 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Access Token Manipulation - T1134 Bypass User Account Control - T1088 Code Signing - T1116 Commonly Used Port - T1043 Custom Command And Control Protocol - T1094 Fallback Channels - T1008 Modify Registry - T1112 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Port Monitors - T1013 Process Discovery - T1057 Process Injection - T1055 Screen Capture - T1113 Security Software Discovery - T1063 Standard Cryptographic Protocol - T1032 Screen Capture
Show in Graph
Common Information
Type Value
UUID d7b22a94-c22d-4d9d-8c3a-1115ca709991
Fingerprint ff84ad526db523d5
Analysis status DONE
Considered CTI value 2
Text language
Published May 21, 2020, 11:30 a.m.
Added to db Sept. 11, 2022, 12:34 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline No “Game over” for the Winnti Group
Title No “Game over” for the Winnti Group | WeLiveSecurity
Detected Hints/Tags/Attributes 119/4/108
Source URLs
Redirection Url
Details Source https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
URL Provider
Details Provider Source level domain
Details welivesecurity.com www.welivesecurity.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
ssl2.dyn-tracker.com
Details Domain 1 
client.gnisoft.com
Details Domain 1 
www2.dyn.tracker.com
Details Domain 1 
nmn.nhndesk.com
Details Domain 1 
ssl.lcrest.com
Details Domain 114 
eset.com
Details Domain 1 
n8.ahnlabinc.com
Details Domain 1 
owa.ahnlabinc.com
Details Domain 2 
ssl2.ahnlabinc.com
Details Email 69 
threatintel@eset.com
Details File 3 
setup0.exe
Details File 1 
crlnc.dat
Details File 33 
duser.dll
Details File 2 
osksupport.dll
Details File 1 
printdialog.dll
Details File 4 
printdialog.exe
Details File 9 
setup.dll
Details File 208 
setup.exe
Details File 1 
c:\windows\system32\spool\prtprocs\x64\dement.dll
Details File 1 
c:\windows\system32\spool\prtprocs\x64\entappsvc.dll
Details File 1 
c:\windows\system32\spool\prtprocs\x64\interactive.dll
Details File 1 
interactive.dll
Details File 1 
dement.dll
Details File 1 
entappsvc.dll
Details File 131 
spoolsv.exe
Details File 1 
win32cmddll.dll
Details File 1 
banner.bmp
Details File 2 
certificate.cer
Details File 1 
b0sdfuwekncj.log
Details File 1 
win32cmdll.dll
Details File 478 
lsass.exe
Details File 89 
wininit.exe
Details File 31 
lsm.exe
Details File 53 
ekrn.exe
Details File 119 
avp.exe
Details File 172 
dllhost.exe
Details File 62 
taskhost.exe
Details File 26 
taskhostw.exe
Details File 1260 
explorer.exe
Details File 36 
egui.exe
Details File 27 
avpui.exe
Details File 1 
corelnc.dll
Details File 19 
core.dll
Details File 4 
net.dll
Details File 1 
100.exe
Details File 1 
103.exe
Details File 5 
slack.exe
Details File 1 
ntfssse.log
Details File 1 
acehash64.exe
Details File 1 
mz64x.exe
Details sha1 1 
6c97039605f93ccf1afccbab8174d26a43f91b20
Details sha1 1 
97da4f938166007ce365c29e1d685a1b850c5bb0
Details sha1 1 
7ca43f3612db0891b2c4c8ccab1543f581d0d10c
Details sha1 1 
b02ad3e8b1cf0b78ad9239374d535a0ac57bf27e
Details sha1 1 
4b90e2e2d1dea7889dc15059e11e11353fa621a6
Details sha1 1 
c7a9dcd4f9b2f26f50e8dd7f96352aec7c4123fe
Details sha1 1 
3508eb2857e279e0165de5ad7bbf811422959158
Details sha1 1 
729d526e75462aa8d33a1493b5a77cb28dd654bc
Details sha1 1 
5663af9295f171fdd41a6d819094a5196920aa4b
Details sha1 1 
23789b2c9f831e385b22942dbc22f085d62b48c7
Details sha1 1 
53c5ae2655808365f1030e1e06982a7a6141e47f
Details sha1 1 
e422cc1d7b2958a59f44ee6d1b4e10b524893e9d
Details sha1 1 
5bb96743feb1c3375a6e2660b8397c68bef4aac2
Details sha1 1 
78f4acd69dc8f9477cab9c732c91a92374adcacd
Details sha1 1 
b56d8f826fa8e073e6ad1b99b433eaf7501f129e
Details sha1 1 
534cd47eb38fee7093d24bac66c2cf8df24c7d03
Details sha1 1 
168101b9b3b512583b3ce6531cfce6e5fb581409
Details sha1 1 
c887b35ea883f8622f7c48ec9d0427afe833bf46
Details sha1 1 
44d0a2a43ecc8619de8db99c1465db4e3c8ff995
Details sha1 1 
e17972f1a3c667eebb155a228278aa3b5f89f560
Details sha1 1 
c03be8bb8d03be24a6c5cf2ed14edfcefa8e8429
Details sha1 1 
2b0481c61f367a99987b7ec0ade4b6995425151c
Details sha1 1 
af9c220d177b0b54a790c6cc135824e7c829b681
Details sha1 1 
4a240edef042ae3ce47e8e42c2395db43190909d
Details sha1 1 
751a9cbffec28b22105cdcaf073a371de255f176
Details sha1 1 
48230228b69d764f71a7bf8c08c85436b503109e
Details sha1 1 
d24bbb898a4a301870cab85f836090b0fc968163
Details sha1 1 
745eac99e03232763f98fb6099f575dfc7bdfaa3
Details sha1 1 
2830de648bf0a521320036b96ce0d82bef05994c
Details IPv4 619 
0.0.0.0
Details IPv4 2 
1.1.1.5
Details IPv4 1 
154.223.215.116
Details IPv4 1 
203.86.239.113
Details MITRE ATT&CK Techniques 1 
T1013
Details MITRE ATT&CK Techniques 116 
T1134
Details MITRE ATT&CK Techniques 29 
T1088
Details MITRE ATT&CK Techniques 1 
T1502
Details MITRE ATT&CK Techniques 14 
T1116
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 550 
T1112
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 24 
T1063
Details MITRE ATT&CK Techniques 219 
T1113
Details MITRE ATT&CK Techniques 60 
T1043
Details MITRE ATT&CK Techniques 159 
T1095
Details MITRE ATT&CK Techniques 23 
T1032
Details MITRE ATT&CK Techniques 41 
T1008
Details Pdb 1 
s:\monitor\monitor_raw\launcher\x64\release\win32cmddll.pdb
Details Pdb 1 
s:\monitor\monitor_raw\libs\x64\release\win32cmddll.pdb
Details Pdb 1 
s:\monitor\monitor_raw\client\x64\release\guardclient.pdb
Details Pdb 1 
s:\monitor\monitor_raw\client\x64\release\managermain.pdb
Details Pdb 1 
s:\monitor\monitor_raw\client\x64\release\communication.pdb
Details Pdb 1 
f:\pcc\trunk\communicationclient\x64\release\communication.pdb
Details Windows Registry Key 2 
HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows
Details Windows Registry Key 3 
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows
Details Windows Registry Key 1 
HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8
Details Windows Registry Key 1 
HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52D