{
	"id": "7a0103b1-b194-4513-870e-c752521e70d0",
	"created_at": "2026-04-06T00:10:39.215512Z",
	"updated_at": "2026-04-10T13:11:47.640792Z",
	"deleted_at": null,
	"sha1_hash": "480660da5c8100c5dfd39c14a1043a57a75992fe",
	"title": "Stolen Images Campaign Ends in Conti Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3767090,
	"plain_text": "Stolen Images Campaign Ends in Conti Ransomware\r\nBy editor\r\nPublished: 2022-04-04 · Archived: 2026-04-05 23:35:44 UTC\r\nIn this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan\r\nthat first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access\r\nvector in multiple ransomware intrusions. Upon execution of the IcedID DLL, discovery activity was performed which was\r\nfollowed by the dropping of a Cobalt Strike beacon on the infected host.\r\nAlong the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the\r\nenvironment. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly\r\nafter Christmas), resulting in domain wide encryption.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nCase Summary\r\nWe assess with high confidence that the “Stolen Image Evidence” email campaign was used to deliver the IcedID DLL. This\r\nwas first reported by Microsoft in April 2021. Upon execution of the IcedID DLL, a connection to a C2 server was\r\nestablished. This was followed by the creation of a scheduled task on the beachhead host to establish persistence. The task\r\nexecuted the IcedID payload every one 1 hour. The IcedID malware then used Windows utilities such as net, chcp, nltest,\r\nand wmic, to perform discovery activity on the host. After a gap of almost an hour, a Cobalt Strike beacon was dropped and\r\nexecuted on the beachhead host. Soon after, another round of discovery was performed from the Cobalt Strike beacon\r\nfocusing on the Windows domain. Nltest and net group were utilized to look for sensitive groups such as Domain Admins\r\nand Enterprise Admins. Process injection into explorer.exe was then observed from the Cobalt Strike Beacon.\r\nThe threat actors proceeded to install remote management tools such as Atera Agent and Splashtop. Use of these 3rd party\r\nadministrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their\r\nmalware connection. In this intrusion, we observed usage of gmail[.]com and outlook[.]com email accounts for Atera agent\r\nregistration. Soon after, one of the injected Cobalt Strike processes accessed LSASS memory to dump credentials from the\r\nbeachhead. On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick nltest followed by\r\nthe PowerView script Invoke-ShareFinder.\r\nOn the following day, the seventh day of the intrusion, the threat actors made their next move. On that day, a new Cobalt\r\nStrike server was observed, in fact over the course of the intrusion, four different Cobalt Strike servers were used. From the\r\nbeachhead host, a DLL was transferred to a domain controller over SMB and then a remote service was created on the\r\ndomain controller to execute the Cobalt Strike DLL. After getting a foothold on the domain controller, we saw more process\r\ninjection followed by the same pattern of installing Atera for additional persistent access. From the domain controller, the\r\nthreat actors proceeded with more discovery tasks including AdFind and Invoke-ShareFinder again.\r\nAfter this, the threat actors went quiet. On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be\r\nused until the end of the intrusion, was observed for the first time. On the tenth day, little activity was observed but the threat\r\nactors connected to the beachhead host via the Atera agent and executed another Cobalt Strike DLL. A little discovery\r\ncheck-in was observed on the 14th day, but little else.\r\nOn the 19th day, the threat actors moved towards their final objectives. They reviewed the directory structure of several\r\nhosts including domain controllers and backup servers. They then dropped their final ransomware payload on the beachhead\r\nhost and attempted to execute it using a batch file named backup.bat. However, they found that their execution failed. They\r\nleft for a few hours, and then returned, and attempted to exploit a couple of CVE’s in an attempt to escalate privileges. The\r\nthreat actors had already secured domain admin access but it’s possible the operator may have thought they lacked\r\npermissions when their first ransomware execution failed. While these exploits appear to have failed the threat actors found\r\ntheir previously captured domain admin credentials and launched two new Cobalt Strike beacons on the domain controllers.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 1 of 22\n\nFinally, twenty minutes after accessing the domain controllers, the threat actors dropped the ransomware DLL and the batch\r\nscript and executed it from the domain controller. This time the execution worked as intended and resulted in domain wide\r\nransomware.\r\nTimeline\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 2 of 22\n\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 3 of 22\n\nReport lead: @0xtornado Contributing analysts: @yatinwad, @MetallicHack, and @_pete_0\r\nInitial Access\r\nThe IcedID DLL, which gave the threat actors a foothold into the environment, was likely delivered by a “Stolen Image\r\nEvidence” email campaign. https://twitter.com/infosecfu/status/1468955220059168785?s=20\u0026t=_fCNcLM-nx1e8EHbyA6z3A These initial access campaigns reportedly utilize contact forms to send malicious emails to intended\r\ntargets. The emails contain a link to a legitimate storage service like those offered by Google and Microsoft. In this example,\r\n“http://storage.googleapis.com” was used to host a zip file. The zip archive contains an ISO file, which once clicked and\r\nmounted, shows a document-like LNK file. Once the victim opens that LNK file, the IcedID DLL loader executes,\r\ndownloads, and runs the second stage of IcedID. Below is a configuration extraction of that initial IcedID malware from an\r\nautomated sandbox analysis of the sample:\r\n{\r\n \"Campaign ID\": 870605016,\r\n \"C2 url\": \"guguchrome.com\"\r\n}\r\nExecution\r\nThe graph below shows detailed actions performed through IcedID, including reconnaissance and Cobalt Strike beacons\r\ndrops:\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 4 of 22\n\nPersistence\r\nScheduled Tasks Only one scheduled task was created during this intrusion. The scheduled task was created on the\r\nbeachhead host upon the execution of IcedID DLL, which executed every hour:\r\n\u003cExec\u003e\r\n  \u003cCommand\u003erundll32.exe\u003c/Command\u003e\r\n  \u003cArguments\u003e\"C:\\Users\\REDACTED\\AppData\\Local\\{C904416E-A880-3136-ED72-AA63AF7DB1F2}\\Gaagsp2.dll\",DllMain\r\n\u003c/Exec\u003e\r\nAtera Agent Threat actors dropped and installed Atera agent (T1219), using two MSI packages “sql.msi” and “mstsc.msi”,\r\nfrom the Cobalt Strike beacons, which allowed them to have a non-malware backdoor in the environment.\r\nThe installation of those two packages reveals two emails potentially belonging to the ransomware operators or affiliates:\r\n/IntegratorLogin=\"\"marsmors1947@gmail.com\"\" /AccountId=\"\"0013z00002kcnS1AAI\"\r\n/IntegratorLogin=\"\"hughess6623@outlook.com\"\" /AccountId=\"\"0013z00002kbhSdAAI\"\r\nAtera agent is a remote monitoring and management system. At one point in the intrusion the threat actors utilized Atera to\r\ndownload and launch a new Cobalt Strike beacon on one of the hosts they had installed the agent on.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 5 of 22\n\nPrivilege Escalation\r\nThere were attempts to exploit Active Directory vulnerabilities CVE-2021-42278 and CVE-2021-42287 in order to create\r\nprivileged accounts. This attempt failed, however, there were indicators through DNS requests enumerating accounts for the\r\nexistence of SAMTHEADMIN-XX (XX being a random number). The query status 9003 indicates that this does not exist.\r\nThe injected process dllhost.exe requesting SAMTHEADMIN-92 and SAMTHEADMIN-20 accounts:\r\nWe believe the operator used the publicly available script ‘sam_the_admin‘ or a variant based on it. Part of the script\r\ngenerates a new computer name account in the form SAMTHEADMIN- followed by a random value between 0 to 100, as\r\nindicated below.\r\nThe exploitation involves invoking lookups to ensure that the new accounts were successful, explaining why failed DNS\r\nrequests were observed.\r\nDefense Evasion\r\nDisable Defender A base64 encoded PowerShell command was executed on the beachhead which disabled Windows\r\nDefender AV (T1562.001). Encoded Command:\r\npowershell -nop -exec bypass -EncodedCommand UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZ\r\nThe decoded base64 PowerShell command uses Set-MpPreference cmdlet to disable Defender’s real time monitoring:\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\nProcess Injection A number of process injections were seen during this intrusion. The Cobalt Strike beacon used the\r\nCreateRemoteThread Win32 function in order to inject code into running processes. The usage of this function triggers the\r\nSysmon Event ID 8, a well known pattern of CS beacon activity. Remote threads were created in Winlogon and Explorer\r\nprocesses.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 6 of 22\n\nCredential Access\r\nLSASS Access The threat actors accessed LSASS process memory (T1003.001) on different hosts, including domain\r\ncontrollers, using multiple techniques. The screenshot below\r\nshows the different “DesiredAccess” to the LSASS process object from different beacons (dllhost.exe, Edebef4.dll, etc.) or\r\nTask Manager:\r\nThe table below maps the “DesiredAccess” values with the actual corresponding access rights, and examples of credentials\r\ndumping tools requesting those accesses:\r\nDesired\r\nAccess\r\nHex\r\nvalue\r\nProcess Access Rights Offensive Tools\r\n5136 1410\r\nPROCESS_VM_READ (0x0010)\r\nPROCESS_QUERY_INFORMATION (0x0400)\r\nPROCESS_QUERY_LIMITED_INFORMATION (0x1000)*\r\nMimikatz\r\n(Winver \u003c5)\r\nNanoDump\r\n4112 1010\r\nPROCESS_VM_READ (0x0010)\r\nPROCESS_QUERY_LIMITED_INFORMATION (0x1000)\r\nMimikatz\r\n(Winver \u003e=6)\r\n64 40 PROCESS_DUP_HANDLE (0x0040) MirrorDump\r\nHandleKatz\r\n*A handle that has the PROCESS_QUERY_INFORMATION access right is automatically\r\ngranted PROCESS_QUERY_LIMITED_INFORMATION. Those “DesiredAccess” values could be interesting to build\r\ndetections or hunting queries if you are using Sysmon or such a verbose monitoring tool. In our case, the access to LSASS\r\nprocess allowed the threat actors to compromise a domain admin account, which was then used to move laterally and deploy\r\nransomware.\r\nDiscovery\r\nMultiple discovery techniques were observed throughout the case. The initial discovery techniques were conducted on the\r\nbeachhead host by the IcedID malware – focusing on determining the system language and security products installed\r\n(T1518.001). Other familiar discovery techniques were then leveraged to establish situational awareness, such as network\r\nconfigurations and Windows domain configuration. Discovery was achieved using a combination of living off the land\r\ntechniques (WMIC and CMD) and via third-party tools.\r\ncmd.exe /c chcp \u003e\u00262\r\nipconfig /all\r\nsysteminfo\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\ncmd.exe /C nltest /dclist:\r\ncmd.exe /C net group /domain \"Domain Computers\"\r\ncmd.exe /C net group /domain \"Enterprise Admins\"\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 7 of 22\n\nThreat actors also used “chcp” for discovery of the system locale/language (T1614.001). Change Control Page (ChCP) is a\r\nMicrosoft utility for changing the console control page (language). In this case, the existing control page language was\r\ncollected using the following command:\r\ncmd.exe /c chcp \u003e\u00262\r\nAs a test, entering this on a command prompt shows a numeric value. The Microsoft link shows the number of the language\r\nused (437 – United States). It is highly likely that the threat actors were establishing the\r\ncountry of origin based on the language used – an extra fail-safe check to ensure certain users or regions were not targeted.\r\nThe \u003e\u00262 parameter could indicate a parameter was expected as part of a script, or possibly a redirect using stderr. The\r\nsecond discovery was from a different Cobalt Strike beacon “Faicuy4.exe” which focused on domain discovery and user\r\ngroups using the net command. Once the threat actors had achieved lateral movement to domain controllers, the AdFind\r\nutility was employed to enumerate active directory objects (T1018).\r\n‘adf.bat’ is a common batch file that we have observed in previous cases, we saw this script in 2020 as part of a Ryuk\r\nintrusion. The recent Conti leaks indicate that Conti operators were surprised Ryuk operators were using their file.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 8 of 22\n\nThe PowerView\r\nmodule Invoke-ShareFinder was executed from the beachhead host and a domain controller.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 9 of 22\n\nSome network discovery was conducted using the ping utility to check the existence of hosts on the network (T1049).\r\nFilesystem discovery (T1083) was conducted to collect directory lists to a text file.\r\n Other\r\nvariations included:\r\nC:\\Windows\\system32\\cmd.exe /C dir “\\\\\u003cREDACTED\u003e\\C$” /s \u003e\u003e listback.txt\r\nC:\\Windows\\system32\\cmd.exe /C dir “\\\\\u003cREDACTED\u003e\\C$” /s \u003e\u003e list1.txt\r\nLateral Movement\r\nOn the 6th day, the threat actors began their lateral movement activity using SMB to transfer Cobalt Strike DLL’s onto a\r\ndomain controller and another server.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 10 of 22\n\nServices were then created on the hosts to execute the uploaded Cobalt Strike Beacons.\r\nOn the final day, right before execution of the ransomware, SMB was again used to transfer Cobalt Strike Beacon\r\nexecutable to the domain controllers.\r\nThe beacons were then executed using a remote service.\r\nKnown Cobalt Strike named pipes were observed on the Domain Controllers with these executable beacons. Named pipes\r\nconnections can be observed through Sysmon Event ID 18. Note that the named pipes followed MSSE-[0-9]{4}-server\r\npattern, which indicates that the threat actors were using the default Cobalt Strike Artifact Kit binaries:\r\npipeName: \\MSSE-3328-server and Image: 61582ab.exe\r\npipeName: \\MSSE-7344-server and Image: 044b7e1.exe\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 11 of 22\n\nCommand and Control We observed the IcedID DLL dropping multiple CS beacons on the beachhead.\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 12 of 22\n\nSplashtop Streamer Threat actors used Splashtop Streamer via Atera agent, allowing them to remotely connect to machines\r\nwithout using RDP tunneling or other techniques previously seen in our cases. By default, the Splashtop Streamer is\r\nautomatically installed together with the AteraAgent.\r\nSplashtop Streamer usage leaves many network connections to *.api.splashtop.com and *.relay.splashtop.com on port 443:\r\nCobalt Strike We observed a default Cobalt Strike malleable C2 profile, using the jquery agent string. This activity can be\r\ndetected with relative ease by the ET rules.\r\nThere appeared to be no jitter configured, resulting in a constant stream of HTTP requests, and if using ET rules, constant\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 13 of 22\n\nalerts would be generated. Just based on the ET Cobalt Strike rule, ‘ET\r\nMALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response’, there were in excess of 6K alerts generated. Due\r\nto the length of this intrusion, we observerd the threat actors handing off between C2 servers. We also observed one Cobalt\r\nStrike domain change IP resolutions three times, over the length of the case.\r\nIcedID:\r\n guguchrome.com\r\n5.181.80.214:80\r\napplesflying.com\r\n5.181.80.113:443\r\nJa3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [89:ac:17:b1:f1:b6:9e:c8:bb:e5:f3:59:ac:e4:91:b2:91:f4:85:58 ]\r\nNot Before: 2021/12/08 20:30:05 UTC\r\nNot After: 2022/12/08 20:30:05 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike:\r\nbunced.net\r\n103.208.86.7:80\r\n103.208.86.7:443\r\nJa3: 0eecb7b1551fba4ec03851810d31743f\r\nJA3s:10b29985cd0ecd878ac083f059c42d51\r\nCertificate: [8f:98:c5:f8:48:96:b6:cd:13:91:7c:4c:32:85:db:b7:e5:e1:bc:8f ]\r\nNot Before: 2021/12/09 10:32:43 UTC\r\nNot After: 2022/03/09 10:32:42 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: bunced.net\r\nPublic Algorithm: id-ec\r\nPublicKey Curve: secp384r1\r\n{\r\n \"x64\": {\r\n \"sha256\": \"01a4c5ef0410b379fa83ac1a4132ba6f7b5814192dbdb87e9d7370e6256ea528\",\r\n \"md5\": \"21242d958caf225f76ad71a4d3a6d4d9\",\r\n \"config\": {\r\n \"Jitter\": 10,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Port\": 80,\r\n \"Watermark\": 0,\r\n \"C2 Host Header\": \"\",\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 14 of 22\n\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"C2 Server\": \"bunced.net,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Polling\": 5000\r\n },\r\n \"time\": 1639100549541.8,\r\n \"sha1\": \"04bbd0ffa580dd5a85ce4c7fc19c66cc753e45ff\",\r\n \"uri_queried\": \"/uKVG\"\r\n },\r\n \"x86\": {\r\n \"sha256\": \"9c01afed2a863fa2466679ef53127e925963cc95de98bc4c59cb4743ccc73bf5\",\r\n \"md5\": \"e7df03bc59b478f0588039416b845c7f\",\r\n \"config\": {\r\n \"Jitter\": 10,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Port\": 80,\r\n \"Watermark\": 0,\r\n \"C2 Host Header\": \"\",\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"C2 Server\": \"bunced.net,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Polling\": 5000\r\n },\r\n \"time\": 1639100538593.3,\r\n \"sha1\": \"18ddb5fac720599983791036e43154a9ce67ffde\",\r\n \"uri_queried\": \"/Uq4b\"\r\n }\r\n}\r\nshytur.com\r\n179.43.176.93:80\r\n216.73.159.33:80\r\n179.43.176.80:80\r\n{\r\n \"x64\": {\r\n \"config\": {\r\n \"Port\": 80,\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"shytur.com,/jquery-3.3.1.min.js\",\r\n \"C2 Host Header\": \"\",\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Watermark\": 0,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\"\r\n },\r\n \"uri_queried\": \"/RnJS\",\r\n \"md5\": \"22bbd14a893b19220e829940ad474687\",\r\n \"sha256\": \"10084d7146462d06c599bd14664d14c511b40687e21983e6f8bded06982931a9\",\r\n \"sha1\": \"06ef512d5a2b9353b6d0a412a1876e02d3474527\",\r\n \"time\": 1640639559417.7\r\n },\r\n \"x86\": {\r\n \"config\": {\r\n \"Port\": 80,\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\n \"Method 2\": \"POST\",\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 15 of 22\n\n\"C2 Server\": \"shytur.com,/jquery-3.3.1.min.js\",\r\n \"C2 Host Header\": \"\",\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Watermark\": 0,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\"\r\n },\r\n \"uri_queried\": \"/COPz\",\r\n \"md5\": \"a48fbea91a31afaf348f713b1f59dfbf\",\r\n \"sha256\": \"d281caef6c8fc45d8725d6cd1542234aea35b97b99bb6aaff7688d91a10716f0\",\r\n \"sha1\": \"7d700ad69d2800de159af5f50bbb82e89467d8b4\",\r\n \"time\": 1640639554775.3\r\n }\r\n}\r\ncirite.com\r\n23.81.246.30\r\nJa3: a0e9f5d64349fb13191bc781f81f42e1\r\nJa3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [f1:43:f2:43:29:79:35:ad:b5:60:c7:79:3a:0f:c6:68:a3:f2:d5:d1 ]\r\nNot Before: 2021/10/22 00:00:00 UTC\r\nNot After: 2022/10/22 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: cirite.com [cirite.com ,www.cirite.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 5000,\r\n \"jitter\": 20,\r\n \"maxgetsize\": 1864736,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 0,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"cirite.com\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNZaG28qpSpw7xhHStBrU+s2eWiOIBlBERsSzWagdI1TzzJHc/Evkk\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/posting\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"prepend 600 characters\",\r\n \"base64\",\r\n \"base64url\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/extension\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 16 of 22\n\n},\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 23886,\r\n \"startrwx\": false,\r\n \"stub\": \"Ms1B7fCBDFtfSY7fRzHMbQ==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nwayeyoy.com\r\n172.241.29.192:443\r\nCertificate: [00:e7:34:3a:ad:bc:61:59:16:5e:d4:2b:e7:64:fa:8c:d5:42:40:17]\r\nNot Before: 2021/12/07 00:00:00 UTC\r\nNot After: 2022/12/07 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: wayeyoy.com [wayeyoy.com ,www.wayeyoy.com ]\r\nPublic Algorithm: rsaEncryption\r\nA configuration was not obtained for this server. Exfiltration We did not observe any exfiltration indicators while analyzing\r\nhost and network forensic artifacts. This does not mean that there was no exfiltration, as this could have been performed via\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 17 of 22\n\nCobalt Strike beacons over encrypted channels. Impact On the 19th day of the intrusion, the threat actors prepared for their\r\nfinal objectives. From the beachhead host, the directory listings of the domain controllers were checked again, followed by\r\nthe backup server. On the beachhead host, we observed the threat actors attempt to execute the final ransomware payload.\r\nFrom that host however the attempt failed. The threat actors then proceeded to look for other elevation paths. After a failed\r\nattempt with CVE-2021-42278 and CVE-2021-42287, the threat actors executed Cobalt Strike beacons on a couple of\r\ndomain controllers. Once they established this access, around twenty minutes later, they again attempted the ransomware\r\ndeployment and this time the payload executed properly and began spreading across the network via SMB. The threat actors\r\ndeployed ransomware payload in a DLL, named x64.dll, which was executed using backup.bat batch script.\r\nThis x64.dll DLL contains fingerprints, “conti_v3.dll”, seen in our previous cases:\r\nWe didn’t dig into reversing this DLL, as a detailed step-by-step analysis already exists, and gives an excellent explanation\r\nof command line parameters used during the execution of Conti ransomware. Once the threat actors pushed the encryptor to\r\nC$, an excessive SMB network activity were generated in a short period of time (~7K) as indicated by the chart.\r\nThis resulted in files being encrypted and a ‘readme.txt’ ransom note generated on the hosts:\r\n The ransom note has slightly been\r\nmodified from our last Conti cases:\r\nIndicators Network\r\nEmail Addresses used for Atera Registration:\r\nmarsmors1947@gmail.com\r\nhughess6623@outlook.com\r\n5.181.80.214:80\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 18 of 22\n\nguguchrome.com\r\n5.181.80.113:443\r\napplesflying.com\r\n103.208.86.7:80\r\nbunced.net\r\n172.241.29.192:443\r\nwayeyoy.com\r\n23.81.246.30:443\r\ncirite.com\r\n216.73.159.33:80\r\nshytur.com\r\nFile\r\ndata.dll\r\n71c8eb081c33fd6b2c10effa92154a18\r\n8222ed4fcac2c7408e7fbb748af1752e72bb9b01\r\nbaeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3\r\nFaicuy4.exe\r\nfe4fb0b3ca2cb379d74cd239e71af44f\r\n6ccd04b109a5148a04ae3ac7f6bc061ccab2122f\r\na79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c\r\nEwge.dll/Ijucko32.dll\r\nb3053228b51ae7af99e0abfa663368d5\r\n670d974d936262c1c569442238d953ed009f7c79\r\n4d62929aa9e76694a62b46bc05425452f26e1e9b09ea6f294850ace825229966\r\nEdebef4.dll\r\n7375eccff18bef7e89665d1a7f31edca\r\na0836d54aa2a783fd8bae685a1b94e913b655430\r\n50d2a2564541887570cf784c677de6900aa503648c510927e08c32b5a6ae3bf5\r\nx64.dll\r\n28bd01b6b3efa726bf00d633398c5c8a\r\n11012f0074e37e105c404a2eda61f9d652b8c03d\r\n8fb035b73bf207243c9b29d96e435ce11eb9810a0f4fdcc6bb25a14a0ec8\r\nDetections Suricata\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response\r\nET MALWARE Cobalt Strike Beacon Activity (GET)\r\nETPRO POLICY Observed Atera Remote Access Application Activity Domain in TLS SNI\r\nET POLICY Command Shell Activity Over SMB - Possible Lateral Movement\r\nET POLICY SMB Executable File Transfer\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nSigma\r\nhttps://github.com/SigmaHQ/sigma/blob/a3eed2b760abddfd62014fcf9ae81f435b216473/rules/windows/process_access/proc_access_win_lsass_memdum\r\nhttps://github.com/SigmaHQ/sigma/blob/11b6b24660c045bb907ed43cfe007349764173bc/rules/windows/powershell/powershell_script/posh_ps_powervi\r\nhttps://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_dis\r\nhttps://github.com/SigmaHQ/sigma/blob/6b3fc11a48e8aa2773dfe266c3be11e4c4c973a5/rules/windows/process_creation/proc_creation_win_powershell_\r\nhttps://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win_admin_share_access.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/application/win_software_atera_rmm_age\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_disco\r\nhttps://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/process_creation/proc_creation_win_susp_recon_a\r\nhttps://github.com/SigmaHQ/sigma/blob/e049058d14dd9ec09771b38ed4d59e8b49ba1bad/rules/windows/builtin/security/win_security_cobaltstrike_servi\r\ntitle: CHCP CodePage Locale Lookup\r\nstatus: Experimental\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 19 of 22\n\ndescription: Detects use of chcp to look up the system locale value as part of host discovery\r\nauthor: _pete_0, TheDFIRReport\r\nreferences:\r\n - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\n - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp\r\ndate: 2022/02/21\r\nmodified: 2022/02/21\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|endswith:\r\n - '\\chcp.com'\r\n CommandLine|endswith:\r\n - 'chcp'\r\n ParentImage|endswith:\r\n - '\\cmd.exe'\r\n ParentCommandLine|contains:\r\n - '/c'\r\n condition: selection\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - Unknown\r\nlevel: high\r\ntags:\r\n - attack.discovery\r\n - attack.t1614.001\r\nYARA\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2022-04-04\r\n Identifier: 9438 conti\r\n Reference: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nrule cs_exe_9438 {\r\n meta:\r\n description = \"9438 - file Faicuy4.exe\"\r\n author = \"TheDFIRReport\"\r\n reference = \"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\"\r\n date = \"2022-04-04\"\r\n hash1 = \"a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c\"\r\n strings:\r\n $x1 = \"C:\\\\Users\\\\Administrator\\\\Documents\\\\Visual Studio 2008\\\\Projects\\\\MUTEXES\\\\x64\\\\Release\\\\MUTEXES\r\n $s2 = \"mutexes Version 1.0\" fullword wide\r\n $s3 = \" \u003crequestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/requestedExecutionLevel\r\n $s4 = \".?AVCMutexesApp@@\" fullword ascii\r\n $s5 = \".?AVCMutexesDlg@@\" fullword ascii\r\n $s6 = \"About mutexes\" fullword wide\r\n $s7 = \"Mutexes Sample\" fullword wide\r\n $s8 = \" 1992 - 2001 Microsoft Corporation. All rights reserved.\" fullword wide\r\n $s9 = \"\u0026Process priority class:\" fullword wide\r\n $s10 = \" Type Descriptor'\" fullword ascii\r\n $s11 = \"\u0026About mutexes...\" fullword wide\r\n $s12 = \" constructor or from DllMain.\" fullword ascii\r\n $s13 = \".?AVCDisplayThread@@\" fullword ascii\r\n $s14 = \"IsQ:\\\"P\" fullword ascii\r\n $s15 = \"CExampleThread\" fullword ascii\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 20 of 22\n\n$s16 = \".?AVCCounterThread@@\" fullword ascii\n $s17 = \".?AVCExampleThread@@\" fullword ascii\n $s18 = \" \" fullword ascii\n $s19 = \"CDisplayThread\" fullword ascii\n $s20 = \"CCounterThread\" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\n 1 of ($x*) and 4 of them\n}\nrule conti_dll_9438 {\n meta:\n description = \"9438 - file x64.dll\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\"\n date = \"2022-04-04\"\n hash1 = \"8fb035b73bf207243c9b29d96e435ce11eb9810a0f4fdcc6bb25a14a0ec8cc21\"\n strings:\n $s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n $s2 = \"conti_v3.dll\" fullword ascii\n $s3 = \" \" fullword ascii\n $s4 = \"api-ms-win-core-processthreads-l1-1-2\" fullword wide\n $s5 = \"ext-ms-win-ntuser-dialogbox-l1-1-0\" fullword wide\n $s6 = \" Type Descriptor'\" fullword ascii\n $s7 = \"operator \\\"\\\" \" fullword ascii\n $s8 = \"operator co_await\" fullword ascii\n $s9 = \" \" fullword ascii\n $s10 = \"api-ms-win-rtcore-ntuser-window-l1-1-0\" fullword wide\n $s11 = \"api-ms-win-security-systemfunctions-l1-1-0\" fullword wide\n $s12 = \"ext-ms-win-ntuser-windowstation-l1-1-0\" fullword wide\n $s13 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\n $s14 = \" Base Class Descriptor at (\" fullword ascii\n $s15 = \" Class Hierarchy Descriptor'\" fullword ascii\n $s16 = \"bad array new length\" fullword ascii\n $s17 = \" Complete Object Locator'\" fullword ascii\n $s18 = \".data$r\" fullword ascii\n $s19 = \" delete[]\" fullword ascii\n $s20 = \" \" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 700KB and\n all of them\nMITRE\nT1614.001 - System Location Discovery: System Language Discovery\nT1218.010 - Signed Binary Proxy Execution: Regsvr32\nT1218.011 - Signed Binary Proxy Execution: Rundll32\nT1059.001 - Command and Scripting Interpreter: PowerShell\nT1055 - Process Injection\nT1003.001 - OS Credential Dumping: LSASS Memory\nT1486 - Data Encrypted for Impact\nT1482 - Domain Trust Discovery\nT1021.002 - Remote Services: SMB/Windows Admin Shares\nT1219 - Remote Access Software\nT1083 - File and Directory Discovery\nT1562.001 - Impair Defenses: Disable or Modify Tools\nT1518.001 - Software Discovery: Security Software Discovery\nT1047 - Windows Management Instrumentation\nT1087.002 - Account Discovery: Domain Account\nT1068 - Exploitation for Privilege Escalation\nT1082 - System Information Discovery\nT1018 - Remote System Discovery\nT1053.005 - Scheduled Task/Job: Scheduled Task\nT1569.002 - Service Execution\nT1071.001 Web Protocols\nS0552 - AdFind\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\nPage 21 of 22\n\nS0154 - Cobalt Strike\r\nS0097 - Ping\r\nInternal case #9438  \r\nSource: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/"
	],
	"report_names": [
		"stolen-images-campaign-ends-in-conti-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/480660da5c8100c5dfd39c14a1043a57a75992fe.pdf",
		"text": "https://archive.orkl.eu/480660da5c8100c5dfd39c14a1043a57a75992fe.txt",
		"img": "https://archive.orkl.eu/480660da5c8100c5dfd39c14a1043a57a75992fe.jpg"
	}
}