ioc[.]one - OSINT Cyber Threat Intelligence Database

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Application Layer Protocol Command And Scripting Interpreter Develop Capabilities Obfuscated Files Or Information Obtain Capabilities Process Injection Scheduled Task/Job
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Model Acquire Infrastructure - T1583 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Develop Capabilities - T1587 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Disable Or Modify System Firewall - T1562.004 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Dns - T1071.004 Dns - T1590.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Local Account - T1087.001 Local Account - T1136.001 System Network Configuration Discovery - T1422 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 System Information Discovery - T1426 Mshta - T1218.005 Multi-Hop Proxy - T1090.003 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Remote Desktop Protocol - T1021.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Service Execution - T1569.002 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Ssh - T1021.004 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 System Services - T1569 Windows Remote Management - T1021.006 Windows Command Shell - T1059.003 Visual Basic - T1059.005 Timestomp - T1070.006 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Virtual Private Server - T1583.003 Virtual Private Server - T1584.003 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Account Discovery - T1087 Standard Application Layer Protocol - T1071 Bits Jobs - T1197 Code Signing - T1116 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 External Remote Services - T1133 File And Directory Discovery - T1083 Indicator Removal On Host - T1070 Indirect Command Execution - T1202 Remote File Copy - T1105 Modify Registry - T1112 Mshta - T1170 Multi-Hop Proxy - T1188 Multiband Communication - T1026 Obfuscated Files Or Information - T1027 Permission Groups Discovery - T1069 Powershell - T1086 Process Injection - T1055 Remote Desktop Protocol - T1076 Remote Services - T1021 Scheduled Task - T1053 Service Execution - T1035 Signed Binary Proxy Execution - T1218 Spearphishing Attachment - T1193 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 Windows Remote Management - T1028 Windows Management Instrumentation - T1047 Valid Accounts - T1078 Timestomp - T1099 User Execution - T1204 External Remote Services Indicator Removal On Host Spearphishing Attachment Valid Accounts User Execution

Show in Graph

Common Information

Type	Value
UUID	f77afe1a-f6eb-431c-be2e-b18f5d308b36
Fingerprint	39ededa07319e71
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 25, 2021, midnight
Added to db	Oct. 22, 2023, 11:23 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Title	So Unchill: Melting UNC2198 ICEDID to Ransomware Operations \| Mandiant
Detected Hints/Tags/Attributes	240/3/190

Source URLs

	Redirection	Url
Details	Source	https://www.mandiant.com/resources/blog/melting-unc2198-icedid-to-ransomware-operations
Details	Source	https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

URL Provider

Details	Provider	Source level domain
Details	fireeye.com	www.fireeye.com
Details	mandiant.com	www.mandiant.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	330	✔	Threat Intelligence	https://www.mandiant.com/resources/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	16	cve-2020-0787
Details	Domain	21	oracle.com
Details	Domain	339	system.net
Details	Domain	1	runsyso.cr
Details	Domain	3	downloader.win
Details	Domain	2	trojan.mint
Details	Domain	18	generic.mg
Details	Domain	1	colombosuede.club
Details	Domain	1	colosssueded.top
Details	Domain	2	golddisco.top
Details	Domain	2	june85.cyou
Details	File	1	%appdata%\teamviewers\msi.dll
Details	File	1	c:\windows\int32.dll
Details	File	1	c:\perflogs\rclone.exe
Details	File	2	%systemdrive%\windows\temp\fmpaxuhfennwxpim.txt
Details	File	2	mwugqkjedjcmdgmc.bat
Details	File	1208	powershell.exe
Details	File	2	%systemdrive%\windows\temp\avanbbxzkyxktazi.txt
Details	File	2	yokjaqtizjhddljd.bat
Details	File	2126	cmd.exe
Details	File	1	c:\programdata\s\u0443sh\u0435\u0430ls\t\u0430s\u0441host.exe
Details	File	1	c:\programdata\sуshеаls\tаsсhost.exe
Details	File	2	c:\\programdata\\s\u0443sh\u0435\u0430ls\\t\u0430s\u0441host.exe
Details	File	409	c:\windows\system32\cmd.exe
Details	File	2	startero.exe
Details	File	1	malicious.cer
Details	File	3	decrypt-files.html
Details	File	7	decrypt-files.txt
Details	File	37	rclone.exe
Details	md5	1	95b78f4d3602aeea4f7a33c9f1b49a97
Details	md5	1	0378897e4ec1d1ee4637cff110635141
Details	md5	1	c803200ad4b9f91659e58f0617f0dafa
Details	md5	1	ad4d445091a3b66af765a1d653fd1eb7
Details	md5	1	9ecf25b1e9be0b20822fe25269fa5d02
Details	md5	1	e319f5a8fe496c0c8247e27c3469b20d
Details	md5	1	a8a7059278d82ce55949168fcd1ddde4
Details	md5	1	aea530f8a0645419ce0abe1bf2dc1584
Details	md5	1	3098fbc98e90d91805717d7a4f946c27
Details	md5	1	e124cd26fcce258addc85d7f010655ea
Details	md5	1	7ae990c12bf5228b6d1b90d40ad0a79f
Details	md5	1	3eb552ede658ee77ee4631d35eac6b43
Details	md5	1	c188c6145202b65a941c41e7ff2c9afd
Details	md5	1	2f43055df845742d137a18b347f335a5
Details	md5	1	87dc37e0edb39c077c4d4d8f1451402c
Details	md5	1	1efababd1d6bd869f005f92799113f42
Details	md5	1	a64e7dd557e7eab3513c9a5f31003e68
Details	md5	1	9760913fb7948f2983831d71a533a650
Details	md5	1	14467102f8aa0a0d95d0f3c0ce5f0b59
Details	IPv4	3	5.149.253.199
Details	IPv4	2	185.106.122.167
Details	IPv4	2	195.123.233.157
Details	IPv4	1	45.141.84.212
Details	IPv4	2	45.141.84.223
Details	IPv4	1	79.141.166.158
Details	IPv4	2	149.28.201.253
Details	IPv4	2	193.34.167.34
Details	IPv4	2	195.123.240.219
Details	IPv4	1	23.227.193.167
Details	Mandiant Security Validation Actions	1	A101-509
Details	Mandiant Security Validation Actions	1	A150-326
Details	Mandiant Security Validation Actions	1	A150-433
Details	Mandiant Security Validation Actions	1	A101-282
Details	Mandiant Security Validation Actions	1	A104-632
Details	Mandiant Security Validation Actions	1	A101-266
Details	Mandiant Security Validation Actions	1	A101-280
Details	Mandiant Security Validation Actions	1	A101-263
Details	Mandiant Security Validation Actions	1	A101-281
Details	Mandiant Security Validation Actions	1	A101-279
Details	Mandiant Security Validation Actions	1	A101-265
Details	Mandiant Security Validation Actions	1	A101-264
Details	Mandiant Security Validation Actions	1	A101-037
Details	Mandiant Security Validation Actions	1	A101-038
Details	Mandiant Security Validation Actions	1	A101-039
Details	Mandiant Security Validation Actions	1	A101-040
Details	Mandiant Security Validation Actions	1	A101-041
Details	Mandiant Security Validation Actions	1	A101-042
Details	Mandiant Security Validation Actions	1	A101-043
Details	Mandiant Security Validation Actions	1	A101-044
Details	Mandiant Security Validation Actions	1	A101-045
Details	Mandiant Security Validation Actions	1	A100-878
Details	Mandiant Security Validation Actions	1	A101-030
Details	Mandiant Security Validation Actions	1	A101-031
Details	Mandiant Security Validation Actions	1	A101-032
Details	Mandiant Security Validation Actions	1	A104-734
Details	Mandiant Security Validation Actions	1	A104-487
Details	Mandiant Security Validation Actions	1	A104-485
Details	Mandiant Security Validation Actions	1	A104-486
Details	Mandiant Security Validation Actions	1	A104-491
Details	Mandiant Security Validation Actions	1	A104-494
Details	Mandiant Security Validation Actions	1	A104-495
Details	Mandiant Security Validation Actions	1	A104-496
Details	Mandiant Security Validation Actions	1	A104-498
Details	Mandiant Security Validation Actions	1	A150-668
Details	Mandiant Security Validation Actions	1	A101-460
Details	Mandiant Security Validation Actions	1	A150-675
Details	Mandiant Security Validation Actions	1	A101-271
Details	Mandiant Security Validation Actions	1	A150-610
Details	Mandiant Security Validation Actions	1	A150-609
Details	Mandiant Security Validation Actions	1	A104-732
Details	Mandiant Security Validation Actions	1	A101-514
Details	Mandiant Security Validation Actions	2	A100-072
Details	Mandiant Security Validation Actions	1	A100-886
Details	Mandiant Security Validation Actions	1	A100-880
Details	Mandiant Security Validation Actions	1	A100-881
Details	Mandiant Security Validation Actions	1	A100-882
Details	Mandiant Security Validation Actions	1	A100-877
Details	Mandiant Security Validation Actions	1	A101-513
Details	Mandiant Security Validation Actions	1	A104-733
Details	Mandiant Security Validation Actions	1	A100-353
Details	Mandiant Security Validation Actions	1	A100-355
Details	Mandiant Security Validation Actions	1	A104-088
Details	Mandiant Security Validation Actions	1	A104-277
Details	Mandiant Security Validation Actions	1	A104-281
Details	Mandiant Security Validation Actions	1	A104-664
Details	Mandiant Security Validation Actions	1	A150-054
Details	Mandiant Security Validation Actions	1	A100-327
Details	Mandiant Security Validation Actions	1	A100-328
Details	Mandiant Security Validation Actions	1	A100-498
Details	Mandiant Security Validation Actions	1	A100-502
Details	Mandiant Security Validation Actions	1	A100-316
Details	Mandiant Security Validation Actions	1	A104-081
Details	Mandiant Uncategorized Groups	7	UNC2198
Details	Mandiant Uncategorized Groups	6	UNC2420
Details	Mandiant Uncategorized Groups	1	UNC2374
Details	Mandiant Uncategorized Groups	1	UNC2414
Details	MITRE ATT&CK Techniques	66	T1583
Details	MITRE ATT&CK Techniques	62	T1583.003
Details	MITRE ATT&CK Techniques	56	T1587
Details	MITRE ATT&CK Techniques	26	T1587.003
Details	MITRE ATT&CK Techniques	145	T1588
Details	MITRE ATT&CK Techniques	33	T1588.003
Details	MITRE ATT&CK Techniques	18	T1588.004
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	191	T1133
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	480	T1053
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	78	T1569
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	235	T1562
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	60	T1202
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	26	T1027.003
Details	MITRE ATT&CK Techniques	121	T1218
Details	MITRE ATT&CK Techniques	59	T1218.005
Details	MITRE ATT&CK Techniques	56	T1553
Details	MITRE ATT&CK Techniques	55	T1553.002
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	72	T1087.001
Details	MITRE ATT&CK Techniques	124	T1482
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	65	T1069
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	159	T1021
Details	MITRE ATT&CK Techniques	160	T1021.001
Details	MITRE ATT&CK Techniques	139	T1021.002
Details	MITRE ATT&CK Techniques	59	T1021.004
Details	MITRE ATT&CK Techniques	157	T1560
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	48	T1090.003
Details	Url	2	http://5.149.253.199:80/auth
Details	Url	2	http://185.106.122.167:80/a
Details	Url	2	http://195.123.233.157:80/casino
Details	Windows Registry Key	2	HKCU\SOFTWARE\WIlumYjNSyHob
Details	Windows Registry Key	2	HKCU\SOFTWARE\YkUJvbgwtylk
Details	Windows Registry Key	2	HKCU\SOFTWARE\WaMgGneKhtgTTy