Stolen Images Campaign Ends in Conti Ransomware
By editor
Published: 2022-04-04 · Archived: 2026-04-05 23:35:44 UTC
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan
that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access
vector in multiple ransomware intrusions. Upon execution of the IcedID DLL, discovery activity was performed which was
followed by the dropping of a Cobalt Strike beacon on the infected host.
Along the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the
environment. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly
after Christmas), resulting in domain wide encryption.
The DFIR Report Services
Private Threat Briefs: Over 20 private DFIR reports annually.
Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.
All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.
Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples.
DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs
are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.
Contact us today for pricing or a demo!
Case Summary
We assess with high confidence that the “Stolen Image Evidence” email campaign was used to deliver the IcedID DLL. This
was first reported by Microsoft in April 2021. Upon execution of the IcedID DLL, a connection to a C2 server was
established. This was followed by the creation of a scheduled task on the beachhead host to establish persistence. The task
executed the IcedID payload every one 1 hour. The IcedID malware then used Windows utilities such as net, chcp, nltest,
and wmic, to perform discovery activity on the host. After a gap of almost an hour, a Cobalt Strike beacon was dropped and
executed on the beachhead host. Soon after, another round of discovery was performed from the Cobalt Strike beacon
focusing on the Windows domain. Nltest and net group were utilized to look for sensitive groups such as Domain Admins
and Enterprise Admins. Process injection into explorer.exe was then observed from the Cobalt Strike Beacon.
The threat actors proceeded to install remote management tools such as Atera Agent and Splashtop. Use of these 3rd party
administrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their
malware connection. In this intrusion, we observed usage of gmail[.]com and outlook[.]com email accounts for Atera agent
registration. Soon after, one of the injected Cobalt Strike processes accessed LSASS memory to dump credentials from the
beachhead. On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick nltest followed by
the PowerView script Invoke-ShareFinder.
On the following day, the seventh day of the intrusion, the threat actors made their next move. On that day, a new Cobalt
Strike server was observed, in fact over the course of the intrusion, four different Cobalt Strike servers were used. From the
beachhead host, a DLL was transferred to a domain controller over SMB and then a remote service was created on the
domain controller to execute the Cobalt Strike DLL. After getting a foothold on the domain controller, we saw more process
injection followed by the same pattern of installing Atera for additional persistent access. From the domain controller, the
threat actors proceeded with more discovery tasks including AdFind and Invoke-ShareFinder again.
After this, the threat actors went quiet. On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be
used until the end of the intrusion, was observed for the first time. On the tenth day, little activity was observed but the threat
actors connected to the beachhead host via the Atera agent and executed another Cobalt Strike DLL. A little discovery
check-in was observed on the 14th day, but little else.
On the 19th day, the threat actors moved towards their final objectives. They reviewed the directory structure of several
hosts including domain controllers and backup servers. They then dropped their final ransomware payload on the beachhead
host and attempted to execute it using a batch file named backup.bat. However, they found that their execution failed. They
left for a few hours, and then returned, and attempted to exploit a couple of CVE’s in an attempt to escalate privileges. The
threat actors had already secured domain admin access but it’s possible the operator may have thought they lacked
permissions when their first ransomware execution failed. While these exploits appear to have failed the threat actors found
their previously captured domain admin credentials and launched two new Cobalt Strike beacons on the domain controllers.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 1 of 22
Finally, twenty minutes after accessing the domain controllers, the threat actors dropped the ransomware DLL and the batch
script and executed it from the domain controller. This time the execution worked as intended and resulted in domain wide
ransomware.
Timeline
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 2 of 22
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 3 of 22
Report lead: @0xtornado Contributing analysts: @yatinwad, @MetallicHack, and @_pete_0
Initial Access
The IcedID DLL, which gave the threat actors a foothold into the environment, was likely delivered by a “Stolen Image
Evidence” email campaign. https://twitter.com/infosecfu/status/1468955220059168785?s=20&t=_fCNcLM-nx1e8EHbyA6z3A These initial access campaigns reportedly utilize contact forms to send malicious emails to intended
targets. The emails contain a link to a legitimate storage service like those offered by Google and Microsoft. In this example,
“http://storage.googleapis.com” was used to host a zip file. The zip archive contains an ISO file, which once clicked and
mounted, shows a document-like LNK file. Once the victim opens that LNK file, the IcedID DLL loader executes,
downloads, and runs the second stage of IcedID. Below is a configuration extraction of that initial IcedID malware from an
automated sandbox analysis of the sample:
{
"Campaign ID": 870605016,
"C2 url": "guguchrome.com"
}
Execution
The graph below shows detailed actions performed through IcedID, including reconnaissance and Cobalt Strike beacons
drops:
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 4 of 22
Persistence
Scheduled Tasks Only one scheduled task was created during this intrusion. The scheduled task was created on the
beachhead host upon the execution of IcedID DLL, which executed every hour:
rundll32.exe
"C:\Users\REDACTED\AppData\Local\{C904416E-A880-3136-ED72-AA63AF7DB1F2}\Gaagsp2.dll",DllMain
Atera Agent Threat actors dropped and installed Atera agent (T1219), using two MSI packages “sql.msi” and “mstsc.msi”,
from the Cobalt Strike beacons, which allowed them to have a non-malware backdoor in the environment.
The installation of those two packages reveals two emails potentially belonging to the ransomware operators or affiliates:
/IntegratorLogin=""marsmors1947@gmail.com"" /AccountId=""0013z00002kcnS1AAI"
/IntegratorLogin=""hughess6623@outlook.com"" /AccountId=""0013z00002kbhSdAAI"
Atera agent is a remote monitoring and management system. At one point in the intrusion the threat actors utilized Atera to
download and launch a new Cobalt Strike beacon on one of the hosts they had installed the agent on.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 5 of 22
Privilege Escalation
There were attempts to exploit Active Directory vulnerabilities CVE-2021-42278 and CVE-2021-42287 in order to create
privileged accounts. This attempt failed, however, there were indicators through DNS requests enumerating accounts for the
existence of SAMTHEADMIN-XX (XX being a random number). The query status 9003 indicates that this does not exist.
The injected process dllhost.exe requesting SAMTHEADMIN-92 and SAMTHEADMIN-20 accounts:
We believe the operator used the publicly available script ‘sam_the_admin‘ or a variant based on it. Part of the script
generates a new computer name account in the form SAMTHEADMIN- followed by a random value between 0 to 100, as
indicated below.
The exploitation involves invoking lookups to ensure that the new accounts were successful, explaining why failed DNS
requests were observed.
Defense Evasion
Disable Defender A base64 encoded PowerShell command was executed on the beachhead which disabled Windows
Defender AV (T1562.001). Encoded Command:
powershell -nop -exec bypass -EncodedCommand UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZ
The decoded base64 PowerShell command uses Set-MpPreference cmdlet to disable Defender’s real time monitoring:
Set-MpPreference -DisableRealtimeMonitoring $true
Process Injection A number of process injections were seen during this intrusion. The Cobalt Strike beacon used the
CreateRemoteThread Win32 function in order to inject code into running processes. The usage of this function triggers the
Sysmon Event ID 8, a well known pattern of CS beacon activity. Remote threads were created in Winlogon and Explorer
processes.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 6 of 22
Credential Access
LSASS Access The threat actors accessed LSASS process memory (T1003.001) on different hosts, including domain
controllers, using multiple techniques. The screenshot below
shows the different “DesiredAccess” to the LSASS process object from different beacons (dllhost.exe, Edebef4.dll, etc.) or
Task Manager:
The table below maps the “DesiredAccess” values with the actual corresponding access rights, and examples of credentials
dumping tools requesting those accesses:
Desired
Access
Hex
value
Process Access Rights Offensive Tools
5136 1410
PROCESS_VM_READ (0x0010)
PROCESS_QUERY_INFORMATION (0x0400)
PROCESS_QUERY_LIMITED_INFORMATION (0x1000)*
Mimikatz
(Winver <5)
NanoDump
4112 1010
PROCESS_VM_READ (0x0010)
PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
Mimikatz
(Winver >=6)
64 40 PROCESS_DUP_HANDLE (0x0040) MirrorDump
HandleKatz
*A handle that has the PROCESS_QUERY_INFORMATION access right is automatically
granted PROCESS_QUERY_LIMITED_INFORMATION. Those “DesiredAccess” values could be interesting to build
detections or hunting queries if you are using Sysmon or such a verbose monitoring tool. In our case, the access to LSASS
process allowed the threat actors to compromise a domain admin account, which was then used to move laterally and deploy
ransomware.
Discovery
Multiple discovery techniques were observed throughout the case. The initial discovery techniques were conducted on the
beachhead host by the IcedID malware – focusing on determining the system language and security products installed
(T1518.001). Other familiar discovery techniques were then leveraged to establish situational awareness, such as network
configurations and Windows domain configuration. Discovery was achieved using a combination of living off the land
techniques (WMIC and CMD) and via third-party tools.
cmd.exe /c chcp >&2
ipconfig /all
systeminfo
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain
cmd.exe /C nltest /dclist:
cmd.exe /C net group /domain "Domain Computers"
cmd.exe /C net group /domain "Enterprise Admins"
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 7 of 22
Threat actors also used “chcp” for discovery of the system locale/language (T1614.001). Change Control Page (ChCP) is a
Microsoft utility for changing the console control page (language). In this case, the existing control page language was
collected using the following command:
cmd.exe /c chcp >&2
As a test, entering this on a command prompt shows a numeric value. The Microsoft link shows the number of the language
used (437 – United States). It is highly likely that the threat actors were establishing the
country of origin based on the language used – an extra fail-safe check to ensure certain users or regions were not targeted.
The >&2 parameter could indicate a parameter was expected as part of a script, or possibly a redirect using stderr. The
second discovery was from a different Cobalt Strike beacon “Faicuy4.exe” which focused on domain discovery and user
groups using the net command. Once the threat actors had achieved lateral movement to domain controllers, the AdFind
utility was employed to enumerate active directory objects (T1018).
‘adf.bat’ is a common batch file that we have observed in previous cases, we saw this script in 2020 as part of a Ryuk
intrusion. The recent Conti leaks indicate that Conti operators were surprised Ryuk operators were using their file.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 8 of 22
The PowerView
module Invoke-ShareFinder was executed from the beachhead host and a domain controller.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 9 of 22
Some network discovery was conducted using the ping utility to check the existence of hosts on the network (T1049).
Filesystem discovery (T1083) was conducted to collect directory lists to a text file.
Other
variations included:
C:\Windows\system32\cmd.exe /C dir “\\\C$” /s >> listback.txt
C:\Windows\system32\cmd.exe /C dir “\\\C$” /s >> list1.txt
Lateral Movement
On the 6th day, the threat actors began their lateral movement activity using SMB to transfer Cobalt Strike DLL’s onto a
domain controller and another server.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 10 of 22
Services were then created on the hosts to execute the uploaded Cobalt Strike Beacons.
On the final day, right before execution of the ransomware, SMB was again used to transfer Cobalt Strike Beacon
executable to the domain controllers.
The beacons were then executed using a remote service.
Known Cobalt Strike named pipes were observed on the Domain Controllers with these executable beacons. Named pipes
connections can be observed through Sysmon Event ID 18. Note that the named pipes followed MSSE-[0-9]{4}-server
pattern, which indicates that the threat actors were using the default Cobalt Strike Artifact Kit binaries:
pipeName: \MSSE-3328-server and Image: 61582ab.exe
pipeName: \MSSE-7344-server and Image: 044b7e1.exe
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 11 of 22
Command and Control We observed the IcedID DLL dropping multiple CS beacons on the beachhead.
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 12 of 22
Splashtop Streamer Threat actors used Splashtop Streamer via Atera agent, allowing them to remotely connect to machines
without using RDP tunneling or other techniques previously seen in our cases. By default, the Splashtop Streamer is
automatically installed together with the AteraAgent.
Splashtop Streamer usage leaves many network connections to *.api.splashtop.com and *.relay.splashtop.com on port 443:
Cobalt Strike We observed a default Cobalt Strike malleable C2 profile, using the jquery agent string. This activity can be
detected with relative ease by the ET rules.
There appeared to be no jitter configured, resulting in a constant stream of HTTP requests, and if using ET rules, constant
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 13 of 22
alerts would be generated. Just based on the ET Cobalt Strike rule, ‘ET
MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response’, there were in excess of 6K alerts generated. Due
to the length of this intrusion, we observerd the threat actors handing off between C2 servers. We also observed one Cobalt
Strike domain change IP resolutions three times, over the length of the case.
IcedID:
guguchrome.com
5.181.80.214:80
applesflying.com
5.181.80.113:443
Ja3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ec74a5c51106f0419184d0dd08fb05bc
Certificate: [89:ac:17:b1:f1:b6:9e:c8:bb:e5:f3:59:ac:e4:91:b2:91:f4:85:58 ]
Not Before: 2021/12/08 20:30:05 UTC
Not After: 2022/12/08 20:30:05 UTC
Issuer Org: Internet Widgits Pty Ltd
Subject Common: localhost
Subject Org: Internet Widgits Pty Ltd
Public Algorithm: rsaEncryption
Cobalt Strike:
bunced.net
103.208.86.7:80
103.208.86.7:443
Ja3: 0eecb7b1551fba4ec03851810d31743f
JA3s:10b29985cd0ecd878ac083f059c42d51
Certificate: [8f:98:c5:f8:48:96:b6:cd:13:91:7c:4c:32:85:db:b7:e5:e1:bc:8f ]
Not Before: 2021/12/09 10:32:43 UTC
Not After: 2022/03/09 10:32:42 UTC
Issuer Org: Let's Encrypt
Subject Common: bunced.net
Public Algorithm: id-ec
PublicKey Curve: secp384r1
{
"x64": {
"sha256": "01a4c5ef0410b379fa83ac1a4132ba6f7b5814192dbdb87e9d7370e6256ea528",
"md5": "21242d958caf225f76ad71a4d3a6d4d9",
"config": {
"Jitter": 10,
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe",
"Port": 80,
"Watermark": 0,
"C2 Host Header": "",
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 14 of 22
"HTTP Method Path 2": "/jquery-3.3.2.min.js",
"Beacon Type": "0 (HTTP)",
"C2 Server": "bunced.net,/jquery-3.3.1.min.js",
"Method 1": "GET",
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe",
"Method 2": "POST",
"Polling": 5000
},
"time": 1639100549541.8,
"sha1": "04bbd0ffa580dd5a85ce4c7fc19c66cc753e45ff",
"uri_queried": "/uKVG"
},
"x86": {
"sha256": "9c01afed2a863fa2466679ef53127e925963cc95de98bc4c59cb4743ccc73bf5",
"md5": "e7df03bc59b478f0588039416b845c7f",
"config": {
"Jitter": 10,
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe",
"Port": 80,
"Watermark": 0,
"C2 Host Header": "",
"HTTP Method Path 2": "/jquery-3.3.2.min.js",
"Beacon Type": "0 (HTTP)",
"C2 Server": "bunced.net,/jquery-3.3.1.min.js",
"Method 1": "GET",
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe",
"Method 2": "POST",
"Polling": 5000
},
"time": 1639100538593.3,
"sha1": "18ddb5fac720599983791036e43154a9ce67ffde",
"uri_queried": "/Uq4b"
}
}
shytur.com
179.43.176.93:80
216.73.159.33:80
179.43.176.80:80
{
"x64": {
"config": {
"Port": 80,
"Beacon Type": "0 (HTTP)",
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe",
"Polling": 5000,
"Method 2": "POST",
"C2 Server": "shytur.com,/jquery-3.3.1.min.js",
"C2 Host Header": "",
"Method 1": "GET",
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe",
"Watermark": 0,
"Jitter": 10,
"HTTP Method Path 2": "/jquery-3.3.2.min.js"
},
"uri_queried": "/RnJS",
"md5": "22bbd14a893b19220e829940ad474687",
"sha256": "10084d7146462d06c599bd14664d14c511b40687e21983e6f8bded06982931a9",
"sha1": "06ef512d5a2b9353b6d0a412a1876e02d3474527",
"time": 1640639559417.7
},
"x86": {
"config": {
"Port": 80,
"Beacon Type": "0 (HTTP)",
"Spawn To x86": "%windir%\\syswow64\\dllhost.exe",
"Polling": 5000,
"Method 2": "POST",
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 15 of 22
"C2 Server": "shytur.com,/jquery-3.3.1.min.js",
"C2 Host Header": "",
"Method 1": "GET",
"Spawn To x64": "%windir%\\sysnative\\dllhost.exe",
"Watermark": 0,
"Jitter": 10,
"HTTP Method Path 2": "/jquery-3.3.2.min.js"
},
"uri_queried": "/COPz",
"md5": "a48fbea91a31afaf348f713b1f59dfbf",
"sha256": "d281caef6c8fc45d8725d6cd1542234aea35b97b99bb6aaff7688d91a10716f0",
"sha1": "7d700ad69d2800de159af5f50bbb82e89467d8b4",
"time": 1640639554775.3
}
}
cirite.com
23.81.246.30
Ja3: a0e9f5d64349fb13191bc781f81f42e1
Ja3s: ae4edc6faf64d08308082ad26be60767
Certificate: [f1:43:f2:43:29:79:35:ad:b5:60:c7:79:3a:0f:c6:68:a3:f2:d5:d1 ]
Not Before: 2021/10/22 00:00:00 UTC
Not After: 2022/10/22 23:59:59 UTC
Issuer Org: Sectigo Limited
Subject Common: cirite.com [cirite.com ,www.cirite.com ]
Public Algorithm: rsaEncryption
{
"beacontype": [
"HTTPS"
],
"sleeptime": 5000,
"jitter": 20,
"maxgetsize": 1864736,
"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",
"license_id": 0,
"cfg_caution": false,
"kill_date": null,
"server": {
"hostname": "cirite.com",
"port": 443,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNZaG28qpSpw7xhHStBrU+s2eWiOIBlBERsSzWagdI1TzzJHc/Evkk
},
"host_header": "",
"useragent_header": null,
"http-get": {
"uri": "/posting",
"verb": "GET",
"client": {
"headers": null,
"metadata": null
},
"server": {
"output": [
"print",
"prepend 600 characters",
"base64",
"base64url"
]
}
},
"http-post": {
"uri": "/extension",
"verb": "POST",
"client": {
"headers": null,
"id": null,
"output": null
}
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 16 of 22
},
"tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
"crypto_scheme": 0,
"proxy": {
"type": null,
"username": null,
"password": null,
"behavior": "Use IE settings"
},
"http_post_chunk": 0,
"uses_cookies": true,
"post-ex": {
"spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"spawnto_x64": "%windir%\\sysnative\\rundll32.exe"
},
"process-inject": {
"allocator": "VirtualAllocEx",
"execute": [
"CreateThread",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"min_alloc": 23886,
"startrwx": false,
"stub": "Ms1B7fCBDFtfSY7fRzHMbQ==",
"transform-x86": [
"prepend '\\x90\\x90\\x90'"
],
"transform-x64": [
"prepend '\\x90\\x90\\x90'"
],
"userwx": false
},
"dns-beacon": {
"dns_idle": null,
"dns_sleep": null,
"maxdns": null,
"beacon": null,
"get_A": null,
"get_AAAA": null,
"get_TXT": null,
"put_metadata": null,
"put_output": null
},
"pipename": null,
"smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
"stage": {
"cleanup": true
},
"ssh": {
"hostname": null,
"port": null,
"username": null,
"password": null,
"privatekey": null
}
}
wayeyoy.com
172.241.29.192:443
Certificate: [00:e7:34:3a:ad:bc:61:59:16:5e:d4:2b:e7:64:fa:8c:d5:42:40:17]
Not Before: 2021/12/07 00:00:00 UTC
Not After: 2022/12/07 23:59:59 UTC
Issuer Org: Sectigo Limited
Subject Common: wayeyoy.com [wayeyoy.com ,www.wayeyoy.com ]
Public Algorithm: rsaEncryption
A configuration was not obtained for this server. Exfiltration We did not observe any exfiltration indicators while analyzing
host and network forensic artifacts. This does not mean that there was no exfiltration, as this could have been performed via
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 17 of 22
Cobalt Strike beacons over encrypted channels. Impact On the 19th day of the intrusion, the threat actors prepared for their
final objectives. From the beachhead host, the directory listings of the domain controllers were checked again, followed by
the backup server. On the beachhead host, we observed the threat actors attempt to execute the final ransomware payload.
From that host however the attempt failed. The threat actors then proceeded to look for other elevation paths. After a failed
attempt with CVE-2021-42278 and CVE-2021-42287, the threat actors executed Cobalt Strike beacons on a couple of
domain controllers. Once they established this access, around twenty minutes later, they again attempted the ransomware
deployment and this time the payload executed properly and began spreading across the network via SMB. The threat actors
deployed ransomware payload in a DLL, named x64.dll, which was executed using backup.bat batch script.
This x64.dll DLL contains fingerprints, “conti_v3.dll”, seen in our previous cases:
We didn’t dig into reversing this DLL, as a detailed step-by-step analysis already exists, and gives an excellent explanation
of command line parameters used during the execution of Conti ransomware. Once the threat actors pushed the encryptor to
C$, an excessive SMB network activity were generated in a short period of time (~7K) as indicated by the chart.
This resulted in files being encrypted and a ‘readme.txt’ ransom note generated on the hosts:
The ransom note has slightly been
modified from our last Conti cases:
Indicators Network
Email Addresses used for Atera Registration:
marsmors1947@gmail.com
hughess6623@outlook.com
5.181.80.214:80
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 18 of 22
guguchrome.com
5.181.80.113:443
applesflying.com
103.208.86.7:80
bunced.net
172.241.29.192:443
wayeyoy.com
23.81.246.30:443
cirite.com
216.73.159.33:80
shytur.com
File
data.dll
71c8eb081c33fd6b2c10effa92154a18
8222ed4fcac2c7408e7fbb748af1752e72bb9b01
baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3
Faicuy4.exe
fe4fb0b3ca2cb379d74cd239e71af44f
6ccd04b109a5148a04ae3ac7f6bc061ccab2122f
a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c
Ewge.dll/Ijucko32.dll
b3053228b51ae7af99e0abfa663368d5
670d974d936262c1c569442238d953ed009f7c79
4d62929aa9e76694a62b46bc05425452f26e1e9b09ea6f294850ace825229966
Edebef4.dll
7375eccff18bef7e89665d1a7f31edca
a0836d54aa2a783fd8bae685a1b94e913b655430
50d2a2564541887570cf784c677de6900aa503648c510927e08c32b5a6ae3bf5
x64.dll
28bd01b6b3efa726bf00d633398c5c8a
11012f0074e37e105c404a2eda61f9d652b8c03d
8fb035b73bf207243c9b29d96e435ce11eb9810a0f4fdcc6bb25a14a0ec8
Detections Suricata
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
ET MALWARE Cobalt Strike Beacon Activity (GET)
ETPRO POLICY Observed Atera Remote Access Application Activity Domain in TLS SNI
ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement
ET POLICY SMB Executable File Transfer
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET HUNTING Possible Powershell .ps1 Script Use Over SMB
ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
Sigma
https://github.com/SigmaHQ/sigma/blob/a3eed2b760abddfd62014fcf9ae81f435b216473/rules/windows/process_access/proc_access_win_lsass_memdum
https://github.com/SigmaHQ/sigma/blob/11b6b24660c045bb907ed43cfe007349764173bc/rules/windows/powershell/powershell_script/posh_ps_powervi
https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_dis
https://github.com/SigmaHQ/sigma/blob/6b3fc11a48e8aa2773dfe266c3be11e4c4c973a5/rules/windows/process_creation/proc_creation_win_powershell_
https://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win_admin_share_access.yml
https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/application/win_software_atera_rmm_age
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_disco
https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/process_creation/proc_creation_win_susp_recon_a
https://github.com/SigmaHQ/sigma/blob/e049058d14dd9ec09771b38ed4d59e8b49ba1bad/rules/windows/builtin/security/win_security_cobaltstrike_servi
title: CHCP CodePage Locale Lookup
status: Experimental
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
Page 19 of 22
description: Detects use of chcp to look up the system locale value as part of host discovery
author: _pete_0, TheDFIRReport
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
date: 2022/02/21
modified: 2022/02/21
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\chcp.com'
CommandLine|endswith:
- 'chcp'
ParentImage|endswith:
- '\cmd.exe'
ParentCommandLine|contains:
- '/c'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high
tags:
- attack.discovery
- attack.t1614.001
YARA
/*
YARA Rule Set
Author: The DFIR Report
Date: 2022-04-04
Identifier: 9438 conti
Reference: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
*/
/* Rule Set ----------------------------------------------------------------- */
rule cs_exe_9438 {
meta:
description = "9438 - file Faicuy4.exe"
author = "TheDFIRReport"
reference = "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/"
date = "2022-04-04"
hash1 = "a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c"
strings:
$x1 = "C:\\Users\\Administrator\\Documents\\Visual Studio 2008\\Projects\\MUTEXES\\x64\\Release\\MUTEXES
$s2 = "mutexes Version 1.0" fullword wide
$s3 = "