Update Malware analysis 09-09-19.md

Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md

@@ -56,9 +56,12 @@
 
 |Enterprise tactics|Technics used|Ref URL|
 | :---------------: |:-------------| :------------- |
-||||
+|Execution|Scheduled Task<br>Command-Line Interface<br>Scripting<br>Execution through API<br>Mshta|https://attack.mitre.org/techniques/T1053/<br>https://attack.mitre.org/techniques/T1059/<br>https://attack.mitre.org/techniques/T1064/<br>https://attack.mitre.org/techniques/T1106/<br>https://attack.mitre.org/techniques/T1170/|
-||||
+|Persistence|Scheduled Task<br>Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1053/<br>https://attack.mitre.org/techniques/T1060/|
-||||
+|Privilege Escalation|Scheduled Task|https://attack.mitre.org/techniques/T1053/|
+|Defense Evasion|Scripting<br>Mshta|https://attack.mitre.org/techniques/T1064/<br>https://attack.mitre.org/techniques/T1170/|
+|Discovery|Query Registry<br>System Information Discovery|https://attack.mitre.org/techniques/T1012/<br>https://attack.mitre.org/techniques/T1082/|
+
 
 ## Indicators Of Compromise (IOC) <a name="IOC"></a>
 
@@ -66,17 +69,35 @@
 
 | Indicator     | Description|
 | ------------- |:-------------:|
-|||
+|PO # 8872521.xlt|51a0e2aac8a0d7460e2a326a9c372f3d1ba3871e6f365f122f3d72cd271a5a3b|
-||Domain requested|
+|Scan001.xls|0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2|
-||IP requested|
+|bin2.exe|c04d776b341acb3d02270a4f883c8b08a66b183779dea79c1b7e11f3906ce616|
-||HTTP/HTTPS requests||
+|67.199.248.14|IP requested|
-||IP C2|
+|172.217.22.97|IP requested|
-||Domain C2|
+|67.199.248.10|IP requested|
+|67.199.248.11|IP requested|
+|216.170.126.139|IP C2|
+|bitly.com|Domain requested|
+|sxasxasxssaxxsasxasx.blogspot.com|Domain requested|
+|pastebin.com|Domain requested|
+|http[:]//216.170.126.139/Panel/10/index.php|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/BrH6UFRc|HTTP/HTTPS requests|
+|http[:]//bitly.com/6xdfsSXsh6|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/UZEbWMK9|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/nhcP3XgH|HTTP/HTTPS requests|
+|http[:]//bit.ly/loahsh78bhidasyiuasaaki|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/5y7H3LSz|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/TqsXJZaM|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/3MuLJLWZ|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/dkrjWec2|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/j8mRken0|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/bgTGtxHc|HTTP/HTTPS requests|
+
 ###### This can be exported as JSON format [Export in JSON]()	
 
 ## Links <a name="Links"></a>
 ###### Original tweet: [https://twitter.com/Rmy_Reserve/status/1171381881461338112](https://twitter.com/Rmy_Reserve/status/1171381881461338112) <a name="Original-Tweet"></a>
-* [Ref previous analysis:](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)
+###### Ref previous analysis: [Gorgon analysis (25-08-19)](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)
 ###### Links Anyrun: <a name="Links-Anyrun"></a>
 * [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
 * [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)