🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Advisory |
Adversary Intelligence |
Actors |
CobaltStrike Group/Carbanak |
Targeted System |
Windows Infrastructure |
Anadia Waleed resume.doc | 259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621 |
Remote Template: indexa.dotm | 7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2 |
Remote Template Url | https://yenile[.]asia/YOOMANHOWYOUDARE/ |
C2 | time.updateeset[.]com |
Ecmd.exe | aeb4c3ff5b5a62f5b7fcb1f958885f76795ee792c12244cee7e36d9050cfb298 dcaaffea947152eab6572ae61d7a3783e6137901662e6b5b5cad82bffb5d8995 5f49a47abc8e8d19bd5ed3625f28561ef584b1a226df09d45455fbf38c73a79c |
cf.ini | 0eba651e5d54bd5bb502327daef6979de7e3eb63ba518756f659f373aa5f4f8b |
Cf.ini shell-code after decryption | 5143c5d8715cfc1e70e9db00184592c6cfbb4b9312ee02739d098cf6bc83eff9 |
CobaltStrike downloaded shellcode | 8cfd023f1aa40774a9b6ef3dbdfb75dea10eb7f601c308f8837920417f1ed702 |
CobaltStrike payload | 7963ead16b6277e5b4fbd5d0b683593877d50a6ea7e64d2fc5def605eba1162a |
File hash | d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81 |
Ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866 | |
Domain:Port | Mazzion1234-44451[.]portmap[.]host:44451 |
URL | hxxp://Mazzion1234-44451.portmap.host/fVRO |
Hashes |
38217fa569df8f93434959c1c798b29d |
8d156725c6ce172b59a8d3c92434c352 | |
8d1650e5e02cd1934d21ce57f6f1af34 | |
d8415a528df5eefcb3ed6f1a79746f40 |
Tactics |
Techniques |
|
Initial Access |
T1078.002 | Domain Accounts |
T1078.003 | Local Accounts | |
Execution |
T1059.001 | PowerShell |
T1059.006 | Python | |
T1059.005 | Visual Basic | |
T1059.003 | Windows Command Shell | |
T1106 | Native API | |
T1569.002 | Service Execution | |
T1047 | Windows Management Instrumentation | |
Persistence |
T1197 | BITS Jobs |
T1543.003 | Windows Service | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Privilege Escalation |
T1548.002 | Bypass User Account Control |
T1134.003 | Make and Impersonate Token | |
T1134.004 | Parent PID Spoofing | |
T1134.001 | Token Impersonation/Theft | |
T1543.003 | Windows Service | |
T1068 | Exploitation for Privilege Escalation | |
T1055 | Process Injection | |
T1055.012 | Process Hollowing | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Defense Evasion |
T1548.002 | Bypass User Account Control |
T1134.003 | Make and Impersonate Token | |
T1134.004 | Parent PID Spoofing | |
T1134.001 | Token Impersonation/Theft | |
T1197 | BITS Jobs | |
T1070.006 | Timestomp | |
T1027.005 | Indicator Removal from Tools | |
T1055 | Process Injection | |
T1055.012 | Process Hollowing | |
T1550.002 | Pass the Hash | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Credential Access |
T1056.001 | Keylogging |
T1003.002 | Security Account Manager | |
Discovery |
T1087.002 | Domain Account |
T1046 | Network Service Scanning | |
T1135 | Network Share Discovery | |
T1057 | Process Discovery | |
T1018 | Remote System Discovery | |
T1016 | System Network Configuration Discovery | |
Lateral Movement |
T1021.003 | Distributed Component Object Model |
T1021.001 | Remote Desktop Protocol | |
T1021.002 | SMB/Windows Admin Shares | |
T1021.004 | SSH | |
T1021.006 | Windows Remote Management | |
T1550.002 | Pass the Hash | |
Collection |
T1005 | Data from Local System |
T1056.001 | Keylogging | |
T1185 | Man in the Browser | |
T1113 | Screen Capture | |
Command and Control |
T1071 | Application Layer Protocol |
T1071.004 | DNS | |
T1071.001 | Web Protocols | |
T1572 | Protocol Tunneling | |
T1090.001 | Internal Proxy | |
Exfiltration |
T1029 | Scheduled Transfer |
hostname |
qq.cattom.buzz |
ssl.getpostmessage.com | |
windows.t0ky0.com | |
www.jquery-corp.ga | |
www.outlook.best | |
ims.trust-update.com | |
www.kwwwing.com | |
update.netaphorb.com | |
mce.chrovnm.com | |
app.hikvision.buzz | |
en.flsah.cc | |
download.softupdate-online.top | |
aaa.stage.5614538.google.gydha.club | |
hello.fitcomn.com | |
www.lazha.xyz | |
gf.topservice-masters.com | |
yt.service-hel.com | |
aaa.stage.12915008.360bug.net | |
aaa.stage.11965376.360bug.net | |
awasdqqqwxza.ddnsfree.com | |
test.praetorian-threat-hunt.com | |
aaa.stage.10214756.bacs.cc | |
www2.completelyinnocuousdomain.com | |
update.checkavail.space | |
code.jquerys.xyz | |
domain |
yten.xyz |
repshd.com | |
corpcostco.com | |
amapai-technologies.site | |
zbfgns.xyz | |
iqio.net | |
freesectest.ml | |
junesdiophantine.com | |
charismatic-guy.me | |
usahack.xyz | |
forteupdate.com | |
amajai-technologies.network | |
amajai-technologies.industries | |
amajai-technologies.host | |
microsofts.network | |
URL |
hxxp://mc.moocraft.org/qscftyjmntyuioyrewdghjfdwsupvmatef/shellcode.txt |
hxxp://oa.life-tsinghua.com/cx | |
hxxp://aws-downloads.certauthv2.id/__utm.gif |