ioc[.]one - OSINT Cyber Threat Intelligence Database

来自Kimsuky组织的突刺：多种攻击武器针对韩国的定向猎杀

Tags

attack-pattern:

Data Regsvr32 - T1218.010 Software - T1592.002 Regsvr32 - T1117

Show in Graph

Common Information

Type	Value
UUID	e7723438-cbf2-4e03-af45-72f7342d2a6c
Fingerprint	e0c7ba3dfd476c17
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 23, 2022, 9:24 a.m.
Added to db	Sept. 22, 2024, 2:30 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	来自Kimsuky组织的突刺：多种攻击武器针对韩国的定向猎杀
Title	来自Kimsuky组织的突刺：多种攻击武器针对韩国的定向猎杀
Detected Hints/Tags/Attributes	23/1/62

Source URLs

	Redirection	Url
Details	Source	https://mp.weixin.qq.com/s/s7bQggtes5YQEtCBeLsOrw

URL Provider

Details	Provider	Source level domain
Details	qq.com	mp.weixin.qq.com

Attributes

Details	Type	#Events	Value
Details	Domain	10	mx.open
Details	Domain	3	uppgrede.scienceontheweb.net
Details	Domain	3	qwert.mine.bz
Details	Domain	2	office.pushitlive.net
Details	Domain	4	yulsohnyonsei.atwewbpages.com
Details	Domain	4	yulsohnyonsei.atwebpages.com
Details	Domain	3	driver.googledocs.cloudns.nz
Details	Domain	58	ti.qianxin.com
Details	Domain	469	www.cisa.gov
Details	Domain	403	securelist.com
Details	Domain	189	asec.ahnlab.com
Details	File	2	随后解密出下一阶段thumbs.db
Details	File	2	执行的thumbs.db
Details	File	143	thumbs.db
Details	File	2	并命名为lsass.exe
Details	File	2	执行副本程序lsass.exe
Details	File	1	대응방향.doc
Details	File	2	将vbs脚本保存为templates目录下的version.ini
Details	File	2	写入version.ini
Details	File	46	microsoft.xml
Details	File	64	list.php
Details	File	2	请求的url与version.ini
Details	File	24	lib.php
Details	File	2	从lib.php
Details	File	2	并将数据以post请求的方式回传到ur参数指定url的show.php
Details	File	3	0_beta.xlsm
Details	File	2	因为加载器dll是通过regsvr32.exe
Details	File	2126	cmd.exe
Details	File	459	regsvr32.exe
Details	File	1	c:\\programdata\\iconcache.db
Details	File	2	如果iconcache.db
Details	File	1	c:\programdata\\iconcache.db
Details	File	1205	index.php
Details	File	29	show.php
Details	File	29	d.php
Details	md5	2	f6628bd40f4cd6cc8405541c269ac901
Details	md5	2	4de19e2c39b1d193e171dc8d804005a4
Details	md5	3	12539ac37a81cc2e19338a67d237f833
Details	md5	2	a4d58f1bcce687d4ea60a3fe60120d5e
Details	md5	2	77b7856144515bb3905df8b3fb210a2e
Details	md5	2	19ef39e9936b7b46e88d55115dfa9679
Details	md5	3	6083a1af637d9dd2b2a16538a17e1f45
Details	md5	3	ca2917006eb29171c9e5f374e789f53a
Details	IPv4	4	216.189.154.6
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/list.php?query=1
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/list.php?query=6
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/lib.php?idx=1获取后续并执行
Details	Url	3	http://qwert.mine.bz/index.php
Details	Url	44	https://sandbox.ti.qianxin.com/sandbox/page
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/list.php?query=
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/lib.php?idx=1
Details	Url	2	http://uppgrede.scienceontheweb.net/file/upload/show.php
Details	Url	2	http://office.pushitlive.net/index.php
Details	Url	4	http://yulsohnyonsei.atwewbpages.com/d.php
Details	Url	4	http://yulsohnyonsei.atwebpages.com/1.hwp
Details	Url	3	https://driver.googledocs.cloudns.nz/yb/yb
Details	Url	2	https://ti.qianxin.com/apt/detail/5b45758d596a10001ffa2d3a?name=kimsuky&type=map
Details	Url	2	https://ti.qianxin.com/blog/articles/kimsuky-weapon-update
Details	Url	2	https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-133c
Details	Url	6	https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258
Details	Url	3	https://asec.ahnlab.com/en/34694
Details	Url	3	https://asec.ahnlab.com/ko/34883