{ "id": "cefb892b-d568-47ab-9948-cf5fc14ff306", "created_at": "2026-04-06T01:31:42.653833Z", "updated_at": "2026-04-10T13:12:23.392739Z", "deleted_at": null, "sha1_hash": "8f580a6b7195b359872695027f204ab54fd6e72b", "title": "BlackSuit Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5953897, "plain_text": "BlackSuit Ransomware\r\nBy editor\r\nPublished: 2024-08-26 · Archived: 2026-04-06 00:42:19 UTC\r\nKey Takeaways\r\nIn December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and\r\nended in the deployment of BlackSuit ransomware.\r\nThe threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1,\r\nCobalt Strike, and ADFind, along with built-in system tools.\r\nCommand and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon. \r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver,\r\netc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir\r\nreports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nTable of Contents:\r\nCase Summary\r\nServices\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 1 of 44\n\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nThe intrusion began in December 2023, with the initial sign being the execution of an unusually large-sized Cobalt\r\nStrike beacon. After the beacon’s execution, there was no immediate follow-up activity. The initial access delivery\r\nmethod for the intrusion remains unclear, as there was no evidence available. The Cobalt Strike C2 traffic\r\nbeaconed to IP addresses managed by CloudFlare, which acted as proxy server between the victim network and\r\ntheir team server.\r\nApproximately six hours after the initial execution, the threat actor used Windows utilities, such as systeminfo and\r\nnltest to perform enumeration on the system and environment. After, they conducted AS-REP Roasting and\r\nKerberoasting attacks against two of the domain controllers, utilizing Rubeus, which was executed in memory via\r\nCobalt Strike. Following this, the threat actor ran Sharphound in memory through the Cobalt Strike beacon, and\r\nsaved the output to disk.\r\nAround ten minutes after the initial discovery, the threat actor carried out their first lateral movement. They\r\ntransferred a Cobalt Strike beacon via SMB and executed it through a service to compromise another workstation.\r\nOn that workstation, they accessed LSASS to obtain credentials from memory. Throughout the second day of the\r\nintrusion, the threat actor deployed multiple Cobalt Strike beacons on workstations and servers and also used RDP\r\nfor further lateral movement.\r\nThe threat actor deployed multiple SystemBC executables on one of the file servers. The second executable,\r\nestablished persistence through a registry run key and opened a new command and control channel. After a busy\r\nsecond day of activity, the intrusion went silent. On the seventh day, the Cobalt Strike command and control\r\ndomain stopped using CloudFlare and switched to an Amazon AWS IP address, for the remainder of the intrusion.\r\nOn the eighth day, the threat actors deployed a new PowerShell Cobalt Strike beacon on a domain controller, this\r\ntime pointing to a separate command and control server. After two days of inactivity, the intrusion resumed with\r\nmore Cobalt Strike beacons being distributed, along with several RDP logins. More discovery activity was noticed\r\nwhen Sharphound was executed again. The threat actor attempted multiple times to run ADFind but failed in each\r\ninstance.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 2 of 44\n\nFive days later, the threat actor returned to finalize their objectives. This time, ADFind was executed successfully,\r\nfollowed by the execution of the PowerShell script Get-DataInfo.ps1. The final step was the deployment of the\r\nBlackSuit ransomware binary, qwe.exe, which was distributed via SMB to remote systems through the C$ share.\r\nThe attacker then manually connected to these systems using RDP to execute the ransomware. Upon execution,\r\nthe ransomware used vssadmin to delete shadow copies before encrypting the hosts. The Time to Ransomware\r\n(TTR) was just under 328 hours, spanning 15 calendar days, with files being encrypted and the BlackSuit ransom\r\nnote left on desktops and folders across the systems.\r\nIf you would like to get an email when we publish a new report, please subscribe here. Follow us on LinkedIn for\r\nadditional insights and notifications!\r\nAnalysts\r\nAnalysis and reporting completed by @MetallicHack, @yatinwad, and @malforsec.\r\nInitial Access\r\nThe earliest sign of the threat actor’s presence was the execution of a Cobalt Strike beacon, identified as\r\nRtWin64.exe. Despite thorough investigation, the initial access point for the beacon’s deployment could not be\r\ndetermined.\r\nExecution\r\nCobalt Strike PsExec\r\nCobalt Strike served as the primary tool utilized by the threat actor, with a particular focus on its capabilities that\r\nmimic Sysinternals PsExec. These features, including psexec and psexec_psh, enable remote process execution\r\nacross systems. The psexec module functions by uploading a binary to the target system, then creating and\r\nlaunching a Windows service to execute the file.\r\nThe eventID 7045 in Windows System logs shows the services created on the system:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 3 of 44\n\nThe psexec command spawned a rundll32.exe process.\r\nThe psexec_psh module doesn’t copy a binary to the target, but instead executes a PowerShell one-liner. The\r\npattern it uses is %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand …\r\nPersistence\r\nRegistry Run Key\r\nTo ensure persistent access to the environment, the threat actor created a run key named “socks5” within the\r\nCurrent User registry hive. The registry key’s configuration indicated that PowerShell would be used to launch a\r\nSystemBC backdoor named socks32.exe.\r\nSysmon eventID 13 (Registry value set) shows changes to a registry key value:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 4 of 44\n\nOne interesting thing to mention is that the registry value name socks5 created under the Run key is hard\r\ncoded.\r\nThe data is a string (type REG_SZ ) which starts with powershell.exe windowstyle -hidden Command\r\nconcatenated with the current executable name, which is obtained using GetModuleFileNameA with a null\r\nhModule first parameter.\r\nScheduled Task\r\nSystemBC possesses the ability to create scheduled tasks using COM, as demonstrated in the following example.\r\nWhile other reports have noted SystemBC utilizing this feature, it likely wasn’t employed in our case, as no\r\nevidence of scheduled task creation was observed during our investigation.\r\nIt first uses the function CoCreateInstance to create an instance of an ITaskScheduler object and then call the\r\nmethod NewWorkItem to create a scheduled task.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 5 of 44\n\nPrivilege Escalation\r\nOn a workstation that the threat actor moved laterally to, we observed use of named pipes.\r\nUsually, when observing this behavior from Cobalt Strike, this tends to be usage of the getsystem command to\r\nelevate privileges; however, in this case we observed the parent process to not be services.exe and the threat actor\r\nwas already running as SYSTEM. This activity was seen in correlation to pass-the-hash behavior listed in Lateral\r\nMovement. The threat actor changed to the context of a domain administrator and then was observed moving\r\nlaterally again using Cobalt Strike, so we attribute this activity to pass-the-hash command execution activity rather\r\nthan getsystem.\r\nDefense Evasion\r\nModify Registry\r\nThe threat actor employed an encoded PowerShell command to modify the registry, enabling Remote Desktop\r\nProtocol (RDP) access to a file server.\r\nSetting the registry key “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server”\r\nDenyTSConnections to 0 will allow terminal server connections to the host.\r\nProcess Injection\r\nGiven the threat actor’s extensive use of Cobalt Strike beacons, we anticipated the use of process injection as a\r\nmethod of evading detection by hiding within legitimate processes.\r\nUpon analyzing process injections and access patterns from Cobalt Strike-generated processes, we successfully\r\nidentified the suspicious activity we were searching for.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 6 of 44\n\nThese injections can then be confirmed using things like YARA memory scanning:\r\nCredential Access\r\nThe threat actor undertook multiple actions to obtain valid credentials, primarily leveraging Rubeus as the key\r\ntool. During our investigation, we discovered that Rubeus had been loaded into mstsc.exe—a process previously\r\ninjected by Cobalt Strike—functioning as a CLR module.\r\nAS-REP roasting\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 7 of 44\n\nAS-REP roasting was the first credential access activity performed by the threat actor. This was done with Rubeus\r\non the beachhead host targeting a domain controller.\r\nRubeus writing the result of AS-REP roasting output to a file:\r\nIndications of AS-REP roasting can be found by looking for windows eventID 4768 on the target domain\r\ncontroller. The request is for Authentication tickets(TGT) with “Pre-Authentication Type” set to 0, meaning no\r\npassword is required.\r\nA lot of Kerberos Authentication Tickets were requested during AS-REP Roasting:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 8 of 44\n\nKerberoasting\r\nThe threat actor used Rubeus to conduct a Kerberoasting attack. During this period of time, we observed\r\nnumerous Kerberos ticket requests, specifically using encryption type 0x17, which corresponds to RC4\r\nencryption. These RC4 encryption requests coincided with the execution of Rubeus and targeted multiple accounts\r\nacross the domain\r\nRubeus executed in memory by Cobalt Strike creating kerberoast output:\r\nEventID 4769 on a domain controller showing request for tickets with weak encryption:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 9 of 44\n\nLSASS memory access\r\nThe threat actor accessed LSASS memory on a workstation with a specific access request of 0x1010, where\r\n0x0010 is necessary to read memory using ReadProcessMemory. This request originated from a process that had\r\nbeen injected with Cobalt Strike.\r\nSysmon eventID 10 shows mstsc.exe accessing lsass with the access mask 0x1010\r\nDiscovery\r\nDiscovery plays a critical role for the threat actor in assessing the environment they have infiltrated. Throughout\r\nthe intrusion, the attacker conducted discovery activities across multiple systems, gathering valuable intelligence\r\non the network and its assets.\r\nHands On Keyboard\r\nDiscovery began on the beachhead host approximately six hours after initial access. The first command executed\r\nwas “systeminfo,” aimed at gathering details about the local system. Shortly after, the command “nltest /dclist”\r\nwas issued to identify the domain controllers within the environment.\r\nSysmon eventID 1 shows evidence of running the commands:\r\nSharphound\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 10 of 44\n\nOnce the threat actor identified the domain controllers, they wasted no time and promptly loaded Sharphound into\r\nmemory via Cobalt Strike. This allowed them to conduct further discovery activities within the environment,\r\nexpanding their reconnaissance efforts.\r\nWe have some proof showing mstsc.exe loading Sharphound as a CLR(Common Language Runtime) module.\r\nmstsc.exe is the child process of Cobalt Strike beacon RtWin64.exe. The below screenshot taken from the EDR\r\ntelemetry depicts that:\r\nOutput from Sharphound was stored in “C:\\Windows\\Temp\\Dogi\\”. The recurring use of this directory aligns with\r\nbehaviors documented in a different report, BazarCall to Conti Ransomware chain. This suggests a potential\r\noperational signature or TTP (Tactics, Techniques, and Procedures) common to this threat actor group or its\r\noperators. Based on the output files created, `it looks like it was run in default mode as described below.\r\nSysmon eventID 11 showing the files created:\r\nSharphound appeared to be running in its default mode, which involves enumerating local group memberships by\r\nquerying the Windows Security Accounts Manager (SAM) database remotely through the samr pipe on the target\r\nhost. This pipe is exposed via the IPC$ share, and corresponding activity can be detected by monitoring Windows\r\nsecurity events with event ID 5145. A similar approach is used to discover logged-on users; however, in this case,\r\nSharphound communicates with the srvsvc pipe, utilizing the Server Service Remote Protocol.\r\nWindows eventlog eventID 5145 showing Sharphound enumeration activity:\r\nWhen Sharphound enumerates the Active Directory through LDAP searches, it performs an excess amount of\r\nqueries.\r\nExample of Sharphound LDAP searches:\r\n\"(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=5368\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 11 of 44\n\nSharphound executed in memory by Cobalt Strike, performing LDAP queries:\r\nSharphound was initially executed on the beachhead host. Later in the intrusion, the threat actor ran Sharphound\r\ntwo more times, this time on a domain controller. The output from the first run was saved to\r\n“C:\\Windows\\System32\\”, while the second run’s results were directed to “C:\\Perflogs\\”.\r\nAgain Sysmon eventID 11 caught the files created by Sharphound:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 12 of 44\n\nWindows Security eventID 4799 shows Sharphound performing discovery on local security-enabled groups:\r\nMore information on how Sharphound functions can be found here:\r\nMore ways to detect LDAP queries generally in this great article here:\r\nADFind\r\nADFind, a tool frequently used by threat actors, was also employed in this intrusion to conduct enumeration and\r\ndiscovery. After gaining access to the second domain controller, the threat actor created “ADFind.exe” and\r\n“adf.bat” in an attempt to gather further Active Directory information.\r\nSysmon eventID 11 showing creation of ADFind.exe and adf.bat by Cobalt Strike:\r\nA few seconds after creation of the files, the threat actor was eager to collect the desired information and executed\r\nadf.bat via cmd.exe :\r\nNo additional commands were observed after each batch file execution. This indicates the operator may have\r\nencountered difficulties, as the batch file was executed twice within just over a minute of the initial attempt,\r\nsuggesting potential issues or missteps during execution.\r\nSysmon eventID 11 shows the creation of the files with the output of ADFind:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 13 of 44\n\nIt’s possible that the files ended up being empty, causing the threat actor to reconsider their approach. About 15\r\nminutes later, the operator tried running ADFind.exe directly from the command line, likely to verify whether the\r\ntool would execute properly.\r\nAfter failing to determine the cause of the issue, the threat actor stayed quiet until the next day. The operator likely\r\nmade an error by trying to run “ adf.bat ” from “ C:\\Windows\\System32\\ ” when both “adf.bat” and\r\n“ADFind.exe” were actually located in “ C:\\Perflogs\\adf\\\" . Because of this, “ ADFind.exe ” probably couldn’t\r\nbe found as an executable in the wrong directory, leading to the error.\r\nAfter several days, the threat actor decided to give ADFind another try. This time, on the file server the operator\r\nwas successful in running adf.bat correctly to find ADFind.exe and perform the desired discovery activity:\r\nSysmon eventID 1 showing threat actor running adf.bat:\r\nResulting in several adfind.exe process events:\r\nGet-DataInfo.ps1\r\nThe threat actor also used a PowerShell script to enumerate local systems. Together with a batch script called\r\n“ start.bat ” the threat actor ran Get-DataInfo.ps1 on both a domain controller and a different servers in the\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 14 of 44\n\nenvironment. We have seen this PowerShell script used several times before. Interestingly, PowerShell was\r\ninitiated using the start.bat file. However, the start.bat file did not work as intended and passed the “method”\r\nparameter to the Get-DataInfo.ps1 script, which is not recognized as a valid parameter. As a result, it ran in default\r\nmode. This behavior may have confused the operator at the keyboard, as well as the batch script that was run\r\nseveral times in a row on both servers.\r\nSysmon EventID 1 shows start.bat executes Get-DataInfo.ps1 with parameter method:\r\nThe start.bat script tries to set a variable called method to the discovery method chosen by the user if the method\r\nis not typed on the command line:\r\nThe issue with the script arises from the fact that the variable “method” does not receive the user-chosen value\r\nuntil after the IF condition is complete. Additionally, the variable must be referenced as %method% to capture the\r\nuser input correctly. This oversight explains why the PowerShell command initiating Get-DataInfo.ps1 includes\r\n“method” as a parameter on the command line:\r\nThe below will end up running the Get-DataInfo.ps1 script in default mode:\r\nThe default mode will run the Test-LHost , Get-DiskInfo and Get-Software functions in the script before\r\ncalling the last function, Compress-Result :\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 15 of 44\n\nSysmon eventID 1 showing the execution:\r\nSysmon eventID 1 process create showing several runs of start.bat:\r\nWindows Utilities\r\nThe threat actor performed several discovery commands using various Windows utilities at various times during\r\nthe intrusion.\r\nC:\\Windows\\system32\\\\cmd.exe /C systeminfo\r\nC:\\Windows\\system32\\cmd.exe /C net group \"domain admins\" /domain\r\nC:\\Windows\\system32\\cmd.exe /C nltest /dclist \u003cdomainname redacted\u003e\r\nnltest /domain_trusts /all_trusts\r\nC:\\Windows\\system32\\cmd.exe /C net group \"enterprise admins\" /domain\r\nC:\\Windows\\system32\\cmd.exe /C ping \u003chostname redacted\u003e\r\nC:\\Windows\\system32\\taskmgr.exe /4\r\nC:\\Windows\\system32\\cmd.exe /C All windows Import-Module ActiveDirectory Get-ADComputer -Filter {enab\r\nC:\\Windows\\system32\\cmd.exe /C route print\r\nC:\\Windows\\system32\\cmd.exe /C ping http://\u003cIP redacted\u003e/\r\nAdministrator Consoles\r\nOn the final day of the intrusion, the threat actor accessed the administrative consoles for both DNS and Group\r\nPolicy. Shortly after, they proceeded to deploy ransomware across the environment.\r\nC:\\Windows\\system32\\mmc.exe C:\\Windows\\system32\\dsa.msc\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 16 of 44\n\nC:\\Windows\\system32\\mmc.exe C:\\Windows\\System32\\gpedit.msc\r\nLateral Movement\r\nPass the hash\r\nAn examination of logon activity within the environment revealed evidence pointing to pass-the-hash attacks.\r\nSpecifically, Windows Security logs with event ID 4624, showing logon type 9 and the Logon Process listed as\r\n“seclogo,” serve as solid indicators of the pass-the-hash technique employed by the threat actor.\r\nThe threat actor used three main methods for lateral movement. First, Cobalt Strike utilized SMB ADMIN$ shares\r\nto move beacons laterally, along with distributing both SMB and HTTPS beacons. Secondly, they used Remote\r\nDesktop Protocol to access a file server and a backup server, where they performed discovery activity. Lastly, the\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 17 of 44\n\nthreat actor used the hidden SMB share C$ to distribute the ransomware executable to strategic endpoints within\r\nthe infrastructure.\r\nA domain controller was used as the main pivot point by the threat actor.\r\nOverview of lateral movement involving SMB ADMIN$ shares and RDP:\r\nTo investigate access to the SMB ADMIN$ share, the Windows event log proves invaluable. By examining\r\nSystem event ID 5145, which indicates “A network share object was checked…,” We can track the movement of\r\nbeacons by the threat actor across the network, gaining essential insight into their lateral movements and\r\nactivities.\r\nThe RDP Activity can be identified with windows security eventID 4624 where the logon type equals 10\r\nRemoteInteractive – “A user logged on to this computer remotely using Terminal Services or Remote Desktop.”\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 18 of 44\n\nWindows security event ID 5145 was used to demonstrate lateral movement once again, showing SMB C$ share\r\nusage.\r\nCobalt Strike SMB beacons, used for lateral movement, were distributed on the beachhead and on a domain\r\ncontroller:\r\nThe configuration of the SMB beacons:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 19 of 44\n\nxorkey b'.' 2e\r\n0x0001 payload type 0x0001 0x0002 2 windows-beacon_smb-bind_pipz\r\n0x0002 port 0x0001 0x0002 4444\r\n0x0003 sleeptime 0x0002 0x0004 10000\r\n0x0004 maxgetsize 0x0002 0x0004 2048576\r\n0x0005 jitter 0x0001 0x0002 0\r\n0x0006 maxdns 0x0001 0x0002 0\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308\r\n0x0008 server,get-uri 0x0003 0x0100 (NULL ...)\r\n0x0009 useragent 0x0003 0x0080 (NULL ...)\r\n0x000a post-uri 0x0003 0x0040 (NULL ...)\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100\r\n Transform Input: [7:Input]\r\n0x000c http_get_header 0x0003 0x0100\r\n0x000d http_post_header 0x0003 0x0100\r\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\SyncHost.exe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\mstsc.exe'\r\n0x000f pipename 0x0003 0x0080 '\\\\\\\\.\\\\pipe\\\\WkSvcPipeMgr_JORW2e'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x0037 EXIT_FUNK 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 674054486 Stats uniques -\u003e ips/hostnames: 60 pu\r\n0x0024 deprecated 0x0003 0x0020 'bfnETSwzb1Xsa2g6gr+auA=='\r\n0x0026 bStageCleanup 0x0001 0x0002 1\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0029 textSectionEnd 0x0002 0x0004 1\r\n0x002a ObfuscateSectionsInfo 0x0003 0x0028 '\\x00\\x10\\x00\\x00\\x95`\\x02\\x00\\x00p\\x02\\x00À\\n\r\n0x003a TCP_FRAME_HEADER 0x0003 0x0080 '\\x00\\x0fk\\x1d^ôá±\\x81Bª\\x1da'\r\n0x0039 SMB_FRAME_HEADER 0x0003 0x0080 '\\x00\\x1ek\\x01oÿ\u003eñëb±\\x1b ×\\x85\\x8e¥X\\x1eOQË©¶\r\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 13891\r\n0x002e process-inject-transform-x86 0x0003 0x0100 '\\x00\\x00\\x00U\\x0f\\x1f\\x84\\x00\\x00\\x00\\x00\\x00\\\r\n0x002f process-inject-transform-x64 0x0003 0x0100 '\\x00\\x00\\x00\\x16f\\x90f\\x0f\\x1fD\\x00\\x00f\\x90\\x\r\n0x0035 process-inject-stub 0x0003 0x0010 'ÅNí/½Ée\\\\\\x0c\\x13U\\x0f\\x04Ç,('\r\n0x0033 process-inject-execute 0x0003 0x0080 '\\x06\\x04\\x07\\x00\\x00\\x00\\x06ntdll\\x00\\x00\\x00\\\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 0\r\n0x0030 DEPRECATED_PROCINJ_ALLOWED 0x0001 0x0002 1\r\n0x0010 killdate_year 0x0001 0x0002 0\r\n0x004a 0x0003 0x0020 'ÌѶ\\x8f½ÉeDc~buq®FJô\\x16\\x9ccß\\x82+\\td\\x7ff_\r\n0x0000\r\nGuessing Cobalt Strike version: 4.4 (max 0x004a)\r\nThe threat actor’s use of RDP and tunnels via SystemBC left behind crucial artifacts that helped identify their\r\nactivities. Notably, we detected two hostnames, “DESKTOP-0MEMSEA” and “DESKTOP-BIFFSC7”, which\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 20 of 44\n\nwere used during the intrusion. These artifacts appeared in various logs, including Sysmon event ID 24 (clipboard\r\nchange), Windows Security event ID 4624 (logon), event ID 4778 (terminal session reconnect), and event ID 4779\r\n(terminal server disconnect), providing multiple points of evidence linking the threat actor’s presence across the\r\nenvironment.\r\nHere is an overview of the RDP sessions where the threat actor used these two hosts:\r\nCollection\r\nArchiving\r\nThe threat actor used 7z to archive data output from running the Get-DataInfo.ps1 PowerShell script.\r\nSysmon eventID 1 showing execution of 7z.exe archiving data:\r\nLooking for interesting files\r\nIn their pursuit of valuable data, the threat actor browsed through file systems, selectively opening files they\r\ndeemed interesting. Documents containing passwords, financial information, and other sensitive data were\r\nspecifically targeted, as these types of files typically hold high value for the intruders.\r\nSysmon eventID 1 showing Notepad and Wordpad used to open and look at files:\r\nCommand and Control\r\nFor command and control, the threat actor used two main tools, Cobalt Strike and SystemBC.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 21 of 44\n\nCobalt Strike\r\nOverview of Cobalt Strike traffic beaconing pattern over intrusion:\r\nThe initial Cobalt Strike beacon, delivered via RtWin64.exe on the beachhead host, maintained a continuous\r\ncommand and control domain at svchorst[.]com throughout the entire infection. The IP address associated with the\r\ndomain changed over time, and the communication process also shifted as queries were injected into different\r\nprocesses by RtWin64.exe.\r\nTo further obfuscate its presence, the threat actor initially routed the Cobalt Strike command and control traffic\r\nthrough CloudFlare’s CDN service, effectively attempting to hide in plain sight by blending into legitimate web\r\ntraffic.\r\nThe 104[.]21.76.140 and 172[.]67.196.25 addresses belonged to Cloudflare.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 22 of 44\n\nLater in the intrusion, the command and control (C2) server moved away from CloudFlare, and subsequently, the\r\ndomain resolved to an AWS IP address.\r\nDNS queries performed for svchorst[.]com:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 23 of 44\n\nNetwork connections to svchorst[.]com:\r\nUsing Didier Steven’s great tool 1768.py, we successfully extracted the configuration of the Cobalt Strike beacon,\r\nwhich validated the host artifacts discovered on the beachhead host.\r\nxorkey b'.' 2e\r\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 443\r\n0x0003 sleeptime 0x0002 0x0004 50408\r\n0x0004 maxgetsize 0x0002 0x0004 4103260\r\n0x0005 jitter 0x0001 0x0002 30\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308\r\n428d39816f41810d852974f73e9ae1e7fd525c02221b9761a8f157db0728039c1103f31bb8adae4b4fed45f670943616de985\r\n2d999279172b79739f60628e57c311f4234fe65ea8eab3b7d19b0203010001000000000000000000000000000000000000000\r\n00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n0x0008 server,get-uri 0x0003 0x0100 'svchorst.com,/shiatzu/v2.41'\r\n0x0043 DNS_STRATEGY 0x0001 0x0002 0\r\n0x0044 DNS_STRATEGY_ROTATE_SECONDS 0x0002 0x0004 -1\r\n0x0045 DNS_STRATEGY_FAIL_X 0x0002 0x0004 -1\r\n0x0046 DNS_STRATEGY_FAIL_SECONDS 0x0002 0x0004 -1\r\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\SyncHost.exe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\mstsc.exe'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 'GET'\r\n0x001b post-verb 0x0003 0x0010 'POST'\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 674054486\r\n0x0024 deprecated 0x0003 0x0020 'bfnETSwzb1Xsa2g6gr+auA=='\r\n0x0026 bStageCleanup 0x0001 0x0002 1\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0047 MAX_RETRY_STRATEGY_ATTEMPTS 0x0002 0x0004 0\r\n0x0048 MAX_RETRY_STRATEGY_INCREASE 0x0002 0x0004 0\r\n0x0049 MAX_RETRY_STRATEGY_DURATION 0x0002 0x0004 0\r\n0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) Apple\r\nfari/537.36'\r\n0x000a post-uri 0x0003 0x0040 '/unobservedly/v10.78'\r\nIn the rest of the infrastructure, two distinct types of Cobalt Strike beacons were deployed: HTTPS beacons and\r\nSMB beacons. The HTTPS beacons appeared to communicate with three different domains—\r\nwq[.]regsvcast[.]com, as[.]regsvcast[.]com, and zx[.]regsvcast[.]com—though, in reality, only\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 24 of 44\n\nwq[.]regsvcast[.]com was actively used, resolving to IP address 147.78.47[.]178. This Cobalt Strike server was\r\ntracked as active by the DFIR Threat Feeds from December 21st through Jan 6th, 2024.\r\nSysmon event ID 22 helped document the DNS queries related to the *regsvcast[.]com domains, providing further\r\ninsight into the network activity tied to the Cobalt Strike infrastructure.\r\nSysmon event ID 3 logs every network connection made, provided it’s not disabled in the Sysmon configuration.\r\nThis can be particularly useful, as some EDR solutions apply rate limits to this type of artifact.\r\nSince Cobalt Strike beacons can generate significant traffic, the volume of network connections for each beacon\r\ncan be observed in the final column of these logs, highlighting the frequency and noisiness of the communication\r\nbetween beacons and command and control infrastructure.\r\nBelow is the configuration of the beacon from DC Y which communicated encrypted over https on port 443:\r\nFile: b7bcee8.exe\r\npayloadType: 0x00002810\r\npayloadSize: 0x00040405\r\nintxorkey: 0xe43ebc19\r\nid2: 0x00000000\r\nMZ header found position 9\r\nConfig found: xorkey b'.' 0x0003ac30 0x000403fc\r\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 443\r\n0x0003 sleeptime 0x0002 0x0004 63612\r\n0x0004 maxgetsize 0x0002 0x0004 2796542\r\n0x0005 jitter 0x0001 0x0002 39\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308\r\n0x0008 server,get-uri 0x0003 0x0100 'qw.regsvcast.com,/hr,as.regsvcast.com,/hr,zx.\r\n0x0043 DNS_STRATEGY 0x0001 0x0002 0\r\n0x0044 DNS_STRATEGY_ROTATE_SECONDS 0x0002 0x0004 -1\r\n0x0045 DNS_STRATEGY_FAIL_X 0x0002 0x0004 -1\r\n0x0046 DNS_STRATEGY_FAIL_SECONDS 0x0002 0x0004 -1\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 25 of 44\n\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\runonce.exe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\runonce.exe'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 'GET'\r\n0x001b post-verb 0x0003 0x0010 'POST'\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 1580103824 Stats uniques -\u003e ips/hostnames: 316\r\n0x0026 bStageCleanup 0x0001 0x0002 1\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl\r\n0x000a post-uri 0x0003 0x0040 '/rw'\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100\r\n Transform Input: [7:Input,4,2:338,3,11]\r\n Print\r\n Remove 338 bytes from begin\r\n BASE64\r\n NETBIOS uppercase\r\n0x000c http_get_header 0x0003 0x0200\r\n Const_header Connection: close\r\n Const_header Accept-Encoding: br\r\n Build Metadata: [7:Metadata,13,3,2:wordpress_logged_in=,6:Cookie]\r\n BASE64 URL\r\n BASE64\r\n Prepend wordpress_logged_in=\r\n Header Cookie\r\n0x000d http_post_header 0x0003 0x0200\r\n Const_header Connection: close\r\n Const_header Accept-Language: en-US\r\n Const_header Content-Type: text/plain\r\n Build Output: [7:Output,3,3,4]\r\n BASE64\r\n BASE64\r\n Print\r\n Build SessionId: [7:SessionId,3,2:__session__id=,6:Cookie]\r\n BASE64\r\n Prepend __session__id=\r\n Header Cookie\r\n0x0036 HostHeader 0x0003 0x0080 (NULL ...)\r\n0x0032 UsesCookies 0x0001 0x0002 1\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a TCP_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0039 SMB_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0037 EXIT_FUNK 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 179426\r\n0x002a ObfuscateSectionsInfo 0x0003 0x0028 '\\x00À\\x02\\x00â¸\\x03\\x00\\x00À\\x03\\x00H\\x92\\x04\\\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 26 of 44\n\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 18046\r\n0x002e process-inject-transform-x86 0x0003 0x0100 '\\x00\\x00\\x00\\x05\\x90\\x90\\x90\\x90\\x90'\r\n0x002f process-inject-transform-x64 0x0003 0x0100 '\\x00\\x00\\x00\\x05\\x90\\x90\\x90\\x90\\x90'\r\n0x0035 process-inject-stub 0x0003 0x0010 '\"+\\x8f\\'Ûߺ\\x8dÝU\\x9eì¢~¦H'\r\n0x0033 process-inject-execute 0x0003 0x0080 '\\x01\\x04\\x03'\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 0\r\n0x0000\r\nGuessing Cobalt Strike version: 4.3 (max 0x0046)\r\nSanity check Cobalt Strike config: OK\r\nPublic key config entry found: 0x0003ac65 (xorKey 0x2e) (LSFIF: b'././.,.\u0026.,./.,/')\r\nPublic key header found: 0x0003ac6b (xorKey 0x2e) (LSFIF: b'././.,.\u0026.,./.,/')\r\nOne C2 connection from the Cobalt Strike beacons stands out from the rest: it originates from PowerShell but\r\ncommunicates over HTTP to port 80.\r\nCommunicating in clear text gives us the opportunity to look at what is going on. The threat actor used\r\nPowerShell to perform the download:\r\nUsing Wireshark to view the exact HTTP query to the C2 server:\r\nA PowerShell script was downloaded that decodes a Base64-encoded blob using `FromBase64String`. At the end\r\nof the script, the decoded data is decompressed, which can easily be done using tools like `gunzip`. This behavior\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 27 of 44\n\nis highly indicative of a Cobalt Strike PowerShell stager. Upon decoding the Base64 blob, we uncovered another\r\nembedded PowerShell script.\r\nThis PowerShell script decodes another base64 blob, but as we can see it also performs XOR operations on the\r\nbytes. XOR with decimal 35(0x23) is a well known key for Cobalt Strike PowerShell stagers.\r\nAfter decoding the final base64 blob we get the Cobalt Strike beacon and can get the configuration (as the\r\nconfiguration is the same on all HTTP beacons the config is extracted with csce):\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 28 of 44\n\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 63612,\r\n \"jitter\": 39,\r\n \"maxgetsize\": 2796542,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 1580103824,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"qw.regsvcast.com\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiCKWZb6nlL/Txn7FIuXF2qwp+LPwdWfzGYeTRr60MZjb\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/hr\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"prepend 338 characters\",\r\n \"base64\",\r\n \"netbiosu\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/ch\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 29 of 44\n\n\"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\runonce.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"RtlCreateUserThread\",\r\n \"CreateRemoteThread\"\r\n ],\r\n \"min_alloc\": 18046,\r\n \"startrwx\": false,\r\n \"stub\": \"IiuPJ9vfuo3dVZ7son6mSA==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 30 of 44\n\n\"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nSytemBC\r\nAnother command and control channel utilized by the threat actor in this intrusion was SystemBC, a tool\r\nfrequently favored by ransomware groups. One of its most commonly used features is its proxy functionality. This\r\nallowed the threat actor to leverage their own external computers and, through the SystemBC malware deployed\r\non the file server, establish proxy connections to access the local network, facilitating further actions within the\r\ncompromised environment.\r\nThe threat actor first brought in SystemBC as a file named SC.exe. This was executed manually by the threat actor\r\nafter logging into the file server from DC X.\r\nSecurity EventID 4624 showing RDP logon and Logon ID:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 31 of 44\n\nThe threat actor manually started SystemBC with name SC.exe:\r\nNotice that the original name is different and that the LogonID is the same as from the RDP login above.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 32 of 44\n\nShortly after the threat actor brought another SystemBC file, with the name socks32.exe. That was moved to the\r\nfile server from DC X.\r\nsocks32.exe moved over SMB C$ share:\r\nOnce again execution is done manually after logging in through RDP.\r\nRDP logon:\r\nManual execution:\r\nIf the SystemBC sample is compiled without modifications, it should be feasible to extract the configuration from\r\nthe implant by examining the exe file, as all information is presented in plain text.\r\nPort and host configuration for SystemBC in the socks32.exe implant:\r\nImpact\r\nThe threat actor’s primary objective in this case was financial gain through ransom. They introduced an executable\r\nnamed qwe.exe, which we later identified as BlackSuit ransomware.\r\nThis ransomware was strategically distributed across key endpoints within the infrastructure and executed,\r\ninitiating the ransom demands.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 33 of 44\n\nWindows security eventID 5145 shows the distribution of the BlackSuit ransom executable via SMB C$ shares:\r\nTo avoid any errors during the final stage of their operation, the threat actor refrained from manually typing the\r\ncommand to execute the ransomware with the necessary command line arguments. Instead, to ensure accuracy and\r\neliminate the risk of typos, they also moved a file named 123.txt along with qwe.exe, likely using it as a script or\r\nreference to guarantee the correct execution of the ransomware.\r\nWindows security eventID 5145 shows distribution of 123.exe to the c:\\users directory:\r\nMovement of the 123.txt file seen from the network side. Including the content. The id is redacted.\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 34 of 44\n\nAfter staging the ransomware executable qwe.exe and the helper file 123.txt, the threat actor used RDP from DC\r\nX to log onto various systems. Once logged in, they opened 123.txt in Notepad, copied the command from the\r\nfile, and executed the ransomware. This method ensured the correct command line arguments were used, reducing\r\nthe risk of mistakes during the final execution phase.\r\nSysmon eventID 1 showing notepad.exe opening 123.txt:\r\nSysmon eventID 1 showing execution of qwe.exe\r\nOnce the ransomware was executed a lot of ransom notes where created:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 35 of 44\n\nreadme.blacksuit.txt looked like:\r\nTimeline\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 36 of 44\n\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 37 of 44\n\nDiamond Model\r\nIndicators\r\nAtomic\r\nSystemBC C2\r\n 137.220.61[.]94\r\nCobalt Strike C2\r\n svchorst[.]com - 15.197.130[.]221\r\n as.regsvcast[.]com - 147.78.47[.]178\r\n zx.regsvcast[.]com - 147.78.47[.]178\r\n qw.regsvcast[.]com - 147.78.47[.]178\r\nComputed\r\nRtWin64.exe - Cobalt Strike Beacon\r\n md5:b5266cd35d1b3770b05 ad6870c0c4bde\r\n sha1:2bb6c8b6461edc49e22f3d0c7dc45904b2ed8a2b\r\n sha256:55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1\r\n imphash:6015e6e85d0d93e60041fa68c6a89776\r\n7f02ab2.exe - Cobalt Strike Beacon\r\n md5:3bf1142b3294c23852852053135ec0df\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 38 of 44\n\nsha1:a3b617eb4248aba34c28c48886116ac97e55e932\r\n sha256:6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f\r\n imphash:1b2b0fc8f126084d18c48b4f458c798b\r\n7341ac3.exe - Cobalt Strike Beacon\r\n md5:519dc779533b4ff0fc67727fecadba82\r\n sha1:586ea19ea4776300962e20cfc9e7017a50888ecb\r\n sha256:a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953\r\n imphash:1b2b0fc8f126084d18c48b4f458c798b\r\n61185c1.exe - Cobalt Strike Beacon\r\n md5:820cfde780306e759bb434da509f7a91\r\n sha1:4e38b98965a4d4756e6f4a8259df62cbca7de559\r\n sha256:e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d\r\n imphash:1b2b0fc8f126084d18c48b4f458c798b\r\nb7bcee8.exe - Cobalt Strike Beacon\r\n md5:b54240c98ca23202e58a1580135ad14c\r\n sha1:cd55256904f1964b90b51089b46f1a933fec3e8e\r\n sha256:27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0\r\n imphash:bed5688a4a2b5ea6984115b458755e90\r\ne225857.exe - Cobalt Strike Beacon\r\n md5:3900ebc7766f3894fb1eb300460376ad\r\n sha1:e63732fb38d2e823348529a264b4c4718e0c0b4a\r\n sha256:f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf\r\n imphash:bed5688a4a2b5ea6984115b458755e90\r\n7341ac3.exe - Cobalt Strike Beacon\r\n md5:519dc779533b4ff0fc67727fecadba82\r\n sha1:586ea19ea4776300962e20cfc9e7017a50888ecb\r\n sha256:a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953\r\n imphash:1b2b0fc8f126084d18c48b4f458c798b\r\nAdFind.exe\r\n md5:9b02dd2a1a15e94922be3f85129083ac\r\n sha1:2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a\r\n sha256:b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\r\n imphash:4fbf3f084fbbb2470b80b2013134df35\r\nSharpHound.exe\r\n md5:76a2363d509cc7174c4abee9a7d7ae68\r\n sha1:286588a50b9b128d07aa0f8851f2d7ee91dfa372\r\n sha256:3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2\r\n imphash:f34d5f2d4577ed6d9ceec516c1f5a744\r\nsocks32.exe\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 39 of 44\n\nmd5:ed44877077716103973cbbebd531f38e\r\n sha1:ceb8c699a57193aa3be2a1766b03050cde3c738a\r\n sha256:9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300\r\n imphash:d66000edfed0a9938162b2b453ffa516\r\nqwe.exe\r\n md5:0bb61c0cff022e73b7c29dd6f1ccf0e2\r\n sha1:8dde03600a18a819b080a41effc24f42fa960a3e\r\n sha256:60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a\r\n imphash:ecc488e51fbb2e01a7aac2b35d5f10bd\r\nDetections\r\nNetwork\r\nET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]\r\nET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]\r\nET Threatview.io High Confidence Cobalt Strike C2 IP group 3\r\nET Threatview.io High Confidence Cobalt Strike C2 IP group 2\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For a .bat File\r\nET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory\r\nET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\n50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery\r\nDFIR Private Rules:\r\n03be05e6-4977-44cd-8ee4-a79400a5ceb0 : Detection of Cobalt Strike Execution\r\nded07dbe-bcd4-4d15-a27b-1669445d3215 : Enabling RDP service via reg.exe command execution\r\nfeee5785-1381-4119-95d0-ca0c3fffe2f2 : Potential Kerberoasting Attack Detected\r\nf8fd3970-d558-40c8-86e2-a989cd53daea : RDP Session from Host with Default Hostname\r\n194e0132-ddee-433c-ac98-3e544c5a2a3a : Suspicious Powershell Execution in Run Key\r\nSigma Repo:\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 40 of 44\n\n903076ff-f442-475a-b667-4f246bcc203b : Nltest.EXE Execution\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\n9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution\r\nd5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe\r\n496a0e47-0a33-4dca-b009-9e6ca3591f39 : Suspicious Kerberos RC4 Ticket Encryption\r\n8eef149c-bd26-49f2-9e5a-9b00e3af499b : Pass the Hash Activity 2\r\nf376c8a7-a2d0-4ddc-aa0c-16c17236d962 : HackTool - Bloodhound/Sharphound Execution\r\n02773bed-83bf-469f-b7ff-e676e7d78bab : BloodHound Collection Files\r\n0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 : Mimikatz Detection LSASS Access\r\na18dd26b-6450-46de-8c91-9659150cf088 : Potentially Suspicious GrantedAccess Flags On LSASS\r\n098d7118-55bc-4912-a836-dc6483a8d150 : Access To ADMIN$ Network Share\r\n61a7697c-cb79-42a8-a2ff-5f0cdfae0130 : Potential CobaltStrike Service Installations - Registry\r\n1d61f71d-59d2-479e-9562-4ff5f4ead16b : Suspicious Service Installation\r\n4aafb0fa-bff5-4b9d-b99e-8093e659c65f : Writing Local Admin Share\r\nca2092a1-c273-4878-9b4b-0d60115bf5ea : Suspicious Encoded PowerShell Command Line\r\n0ef56343-059e-4cb6-adc1-4c3c967c5e46 : Suspicious Execution of Systeminfo\r\nbbb7e38c-0b41-4a11-b306-d2a457b7ac2b : Suspicious File Created In PerfLogs\r\n3dfd06d2-eaf4-4532-9555-68aca59f57c4 : Process Execution From A Potentially Suspicious Folder\r\n0d5675be-bc88-4172-86d3-1e96a4476536 : Potential Tampering With RDP Related Registry Keys Via Reg.EXE\r\nYara\r\nFile Scan Results:\r\nDFIR Report:\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/compare/26364\r\nhttps://github.com/search?q=repo%3AThe-DFIR-Report%2FYara-Rules+get-data\u0026type=code\r\nhttps://github.com/search?q=repo%3AThe-DFIR-Report%2FYara-Rules%20netscan\u0026type=code\r\nYARA Forge:\r\nDITEKSHEN_MALWARE_Win_EXEPWSH_Dlagent\r\nELASTIC_Windows_Trojan_Cobaltstrike_1787Eef5\r\nELASTIC_Windows_Trojan_Cobaltstrike_7F8Da98A\r\nEMBEERESEARCH_Win_Cobaltstrike_Pipe_Strings_Nov_2023\r\nGCTI_Cobaltstrike_Resources_Artifact64_V3_14_To_V4_X\r\nMemory Scan Results:\r\nHKTL_CobaltStrike_SleepMask_Jul22\r\nCobaltStrike_Sleep_Decoder_Indicator\r\nWindows_Trojan_CobaltStrike_b54b94ac\r\nHKTL_CobaltStrike_Beacon_4_2_Decrypt\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 41 of 44\n\nCobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6\r\nWindows_Trojan_CobaltStrike_663fc95d\r\nWindows_Trojan_CobaltStrike_3dc22d14\r\nHKTL_CobaltStrike_Beacon_Strings\r\nHKTL_Win_CobaltStrike\r\nSUSP_PS1_JAB_Pattern_Jun22_1\r\nWiltedTulip_WindowsTask\r\nCobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x\r\nCobaltbaltstrike_Payload_Encoded\r\nMsfpayloads_msf_ref\r\nCobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13\r\nWindows_Shellcode_Generic_8c487e57\r\nCobaltbaltstrike_RAW_Payload_smb_stager_x86\r\nWindows_Trojan_Metasploit_38b8ceec\r\nCobaltStrike_Resources_Smbstager_Bin_v2_5_through_v4_x\r\nWindows_Trojan_CobaltStrike_f0b627fc\r\nCobaltStrike_Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6\r\nCobaltStrike_C2_Encoded_XOR_Config_Indicator\r\nSUSP_XORed_Mozilla\r\nSUSP_PowerShell_IEX_Download_Combo\r\nCobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6\r\nWindows_Trojan_Metasploit_7bc0f998\r\nWindows_Trojan_Metasploit_c9773203\r\nRule authors:\r\nyara@s3c.za.net\r\nElastic Security\r\ngssincla@google.com\r\nthreatintel@volexity.com\r\nFlorian Roth (Nextron Systems)\r\nAvast Threat Intel Team\r\nMITRE ATT\u0026CK\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 42 of 44\n\nAbuse Elevation Control Mechanism - T1548\r\nArchive Collected Data - T1560\r\nAS-REP Roasting - T1558.004\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 43 of 44\n\nData Encrypted for Impact - T1486\r\nDomain Groups - T1069.002\r\nDomain Trust Discovery - T1482\r\nInhibit System Recovery - T1490\r\nKerberoasting - T1558.003\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nModify Registry - T1112\r\nPowerShell - T1059.001\r\nProcess Injection - T1055\r\nProxy - T1090\r\nRegistry Run Keys / Startup Folder - T1547.001\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nSecurity Software Discovery - T1518.001\r\nService Execution - T1569.002\r\nSMB/Windows Admin Shares - T1021.002\r\nSoftware Discovery - T1518\r\nSystem Information Discovery - T1082\r\nWeb Protocols - T1071.001\r\nWindows Command Shell - T1059.003\r\nPass the Hash - T1550.002\r\nInternal case #TB29364 #PR31354\r\nSource: https://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nhttps://thedfirreport.com/2024/08/26/blacksuit-ransomware/\r\nPage 44 of 44", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/" ], "report_names": [ "blacksuit-ransomware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439102, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f580a6b7195b359872695027f204ab54fd6e72b.pdf", "text": "https://archive.orkl.eu/8f580a6b7195b359872695027f204ab54fd6e72b.txt", "img": "https://archive.orkl.eu/8f580a6b7195b359872695027f204ab54fd6e72b.jpg" } }