{ "id": "54a537f9-0b20-4a5c-9a01-534502396544", "created_at": "2026-04-06T00:22:14.788807Z", "updated_at": "2026-04-10T03:37:23.824788Z", "deleted_at": null, "sha1_hash": "b2014c2445876f947baa40b93241789301f29474", "title": "HTML Smuggling Leads to Domain Wide Ransomware - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3994206, "plain_text": "HTML Smuggling Leads to Domain Wide Ransomware - The DFIR\r\nReport\r\nBy editor\r\nPublished: 2023-08-28 · Archived: 2026-04-02 10:49:00 UTC\r\nWe’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID\r\nmalware. This case, which also ended in Nokoyawa Ransomware, involved the threat actor deploying the final ransomware\r\nonly 12 hours after the initial compromise.\r\nThis threat actor delivered a password protected ZIP file via HTML smuggling to organizations back in late October, early\r\nNovember 2022. Within the password protected ZIP file, there was an ISO file that deployed IcedID which led to the use of\r\nCobalt Strike and ultimately Nokoyawa ransomware. This intrusion also overlaps with the previous Nokoyawa ransomware\r\ncase.\r\nServices\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences using real data from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nIn early November 2022, the intrusion began with the delivery of an HTML file. We assess with high confidence that the\r\ndelivery was via email, as reported in other public reports. This HTML file was using a technique known as HTML\r\nsmuggling. This is one of the techniques threat actors have pivoted to since macro control defaults were updated by\r\nMicrosoft. Just a month prior, this threat actor was observed using Excel macros in an extremely similar campaign.\r\nUpon the user opening the HTML file, a fake Adobe page was presented and a ZIP file was downloaded. The Adobe lure\r\nincludes a password for the ZIP as a way to protect the malicious contents from automated analysis. Inside the ZIP was an\r\nISO file. Inside the ISO was the malware payload. The only visible file to the user was a LNK file masquerading as a\r\ndocument.\r\nWhen the user clicked the LNK file, a series of commands were then executed. These included copying rundll32 and a\r\nmalicious DLL from within the ISO to the host, before executing the malware. After loading the malicious DLL, a\r\nconnection was made to IcedID command and control servers. The user meanwhile was served a legitimate image of a\r\nfinance document.\r\nWhen the malicious DLL was executed, persistence was also established via a scheduled task on the beachhead host. This\r\ntask was set to run the IcedID malware every hour on the host. Initial discovery commands were ran seconds after reaching\r\nout to the command and control server. These commands have been seen in previous reports involving IcedID, including\r\nstandard utilities like net, ipconfig, systeminfo, and nltest.\r\nAround three hours after execution of the initial IcedID malware, a cmd process was spawned from IcedID. This new\r\nprocess began beaconing to a Cobalt Strike server. This Cobalt Strike server was previously observed in a prior Nokoyawa\r\nreport. This process was then observed accessing LSASS, likely to access credentials. A quick check of domain admins\r\nusing net was also observed.\r\nHands-on activity then paused for around three hours before the threat actor returned. Using the Cobalt Strike beacon, the\r\nthreat actor looked up specific domain administrators using the net utility. Using one of those accounts, the threat actor\r\ninitiated a RDP session to move laterally to a domain controller. Using this session, the threat actor copied over a Cobalt\r\nStrike beacon to the domain controller and executed it.\r\nAfter that, the threat actor continued discovery actions by executing a batch file on the domain controller, which ran the\r\nusual battery of Active Directory discovery commands using AdFind. Upon completion, the results of the discovery\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 1 of 24\n\ncommands were archived using 7-Zip. This was followed by the threat actor running a second batch file, which iterated\r\nthrough the network performing a nslookup for each host in the environment.\r\nAbout five hours later, the threat actor returned to the domain controller and executed an encoded PowerShell command\r\nwhich was SessionGopher. SessionGopher is a tool that finds and decrypts saved session information for remote access\r\ntools. The threat actor then logged into additional hosts over RDP, including a backup server and a server with file shares.\r\nOn the backup server, the threat actor opened the backup console. While on the file share, they used notepad to review a file\r\non the host.\r\nThe threat actor returned to the domain controller and utilized netscan to perform a network scan. After the scan, both\r\nPsExec and WMIC were used to move files across systems in the network. Key files copied included k.exe and p.bat. These\r\ntwo files were the ransomware binary and a batch script that would be used to execute the ransomware.\r\nFive minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain\r\ncontroller. At the same time, PsExec was used to execute the p.bat file starting the ransomware binary on the other hosts in\r\nthe domain. The time to ransomware (TTR) was just over 12 hours from the initial infection.\r\nAttribution\r\nIn this case we see two different threat actors; the distributor and the hands on keyboard actor. Proofpoint tracks this\r\ndistributor as TA551. The hands on keyboard actor is tracked by Microsoft as Storm-0390 which is a “pen test” team\r\nmanaged by Periwinkle Tempest (formerly tracked as Storm-0193 and DEV-0193).\r\nThe ransomware affiliate is seen RDPing into the environment from server name WIN-5J00ETD85P5. This server name\r\nmatches the one used by a threat actor from a prior Nokoyawa case. We can see from internet scanning tools, this hostname\r\nis currently active on 78.128.113[.]154 hosted on AS209160 Miti2000 at 4vendeta.com in Bulgaria.\r\nAnalysts\r\nAnalysis and reporting completed by @v3t0_, @MyDFIR, \u0026 @RoxpinTeddy\r\nInitial Access\r\nFor this campaign, thread hijacked emails were used to deliver the malicious HTML file. According to Proofpoint, this\r\ncampaign was associated to a distribution group they track as TA551. Credits to Proofpoint for the below example.\r\nAfter downloading and opening the HTML file, it downloaded a password protected ZIP file with a random name. The\r\npassword to unzip the file was presented to the user.\r\nThe following image shows the HTML file opened in a browser.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 2 of 24\n\nThe ISO file from the zip, when mounted, had 1 visible LNK file (documents-9771) and 3 hidden files: demurest.cmd,\r\npimpliest_kufic.png and templates544.png.\r\nAfter execution, a legitimate image is opened to trick the user into thinking nothing is amiss.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 3 of 24\n\nExecution\r\nThe ISO file contained a LNK file, with an icon of an Image, which prompted the user to click on it.When the user opened\r\nthe LNK file, the batch script demurest.cmd was executed.\r\nThe batch script in the demurest.cmd file did the following:\r\n1. Opened pimpliest_kufic.png, which displayed an image.\r\n2. The Windows utility xcopy was used to copy rundll32.exe to %temp%\\entails.exe.\r\n3. Created string “templates544.png” on the runtime and copied it with a random number with a format:\r\nRANDOM_NUM.RANDOM_NUM.\r\n4. templates544.png was an IcedID DLL and was executed via entails.exe.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 4 of 24\n\nWe can see from memory (MemProcFS), cmd executes entails.exe, which executes the IcedID dll by looking at the\r\nCommandLine. We can also see the call chain of cmd-\u003eentails.exe with a grand parent process of explorer.exe\r\nAround six hours into the intrusion, 1.dll (Cobalt Strike) was dropped on the beachhead host before being copied to a\r\ndomain controller. After 1.dll was transferred to the domain controller, it was executed via rundll32.exe via following\r\ncommand:\r\nrundll32.exe 1.dll, DllRegisterServer\r\nPersistence\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 5 of 24\n\nIcedID registered a scheduled task to gain persistence on the beachhead host, which ran every hour.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cURI\u003e\\{E5C1C7DB-E36E-5B16-8E3A-6226D7E53A67}\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cTimeTrigger id=\"TimeTrigger\"\u003e\r\n \u003cRepetition\u003e\r\n \u003cInterval\u003ePT1H\u003c/Interval\u003e\r\n \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n \u003c/Repetition\u003e\r\n \u003cStartBoundary\u003e2012-01-01T12:00:00\u003c/StartBoundary\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/TimeTrigger\u003e\r\n \u003cLogonTrigger id=\"LogonTrigger\"\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003eREDACTED\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003cUserId\u003eREDACTED\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003erundll32.exe\u003c/Command\u003e\r\n \u003cArguments\u003e\"C:\\Users\\REDACTED\\AppData\\Local\\REDACTED\\Izjeubaw64.dll\",#1 --oyxo=\"EdgeDecrease\\license.dat\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nWe can also see similar information in memory by reviewing most recently created scheduled tasks:\r\nTaskName TaskPath User CommandLine Parameters T\r\n{E5C1C7DB-E36E-5B16-\r\n8E3A-6226D7E53A67}\r\n\\{E5C1C7DB-E36E-5B16-\r\n8E3A-6226D7E53A67}\r\nAuthor rundll32.exe\r\n“C:\\Users\\REDACTED\\AppData\\Local\\REDACTED\\Izjeubaw64.dll”,#1\r\n–oyxo=”EdgeDecrease\\license.dat”\r\n1\r\n1\r\nPrivilege Escalation\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 6 of 24\n\nThe compromised user had local administrative privileges on their machine which allowed the threat actor to leverage tools\r\nrequiring higher permissions.\r\nDefense Evasion\r\nLooking at the contents of the malicious HTML file, we can pick out the HTML smuggling in the code. First, looking at the\r\n\u003cscript\u003e tags we come to the following:\r\nIf we take that data blob, decode the contents with base64, and export that into a file, we can find the zipped ISO file hidden\r\nin the document:\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 7 of 24\n\nThe PK header indicates the data is the start of a zip file, and the following data reveals the contents to be an ISO file.\r\nThe initial access package from the threat actor used the Windows xcopy utility to rename rundll32.exe to entails.exe. This\r\nwas likely to evade detection logic based around command line execution. Entails.exe, which loaded the IcedID DLL, was\r\nthen observed injecting into a cmd.exe process on the beachhead host.\r\nBelow we can see the IcedID loader in memory in the entails.exe process:\r\nProcess Name PID Type Address Description\r\nentails.exe 4868 PE_INJECT 0000000180000000 Module:[loader_dll_64.dll]\r\nThe entails.exe process first opened cmd.exe with the GrantedAccess of 0x1fffff, which maps to\r\nPROCESS_ALL_ACCESS rights, followed by a call to CreateRemoteThread, which was recorded by Sysmon Event ID\r\n10 and 8 respectively as shown below:\r\nWe can also see from memory, beacon.dll was injected into cmd.\r\nProcess Name PID Type Address Description\r\ncmd.exe 11636 PE_INJECT 0000000005380000 Module:[beacon.dll]\r\nScanning the process memory of cmd.exe, the YARA rule win_cobalt_strike_auto from Malpedia fired. The following\r\nCobalt Strike beacon configuration was then extracted from process memory:\r\n\"BeaconType\": \"windows-beacon_https-reverse_https\",\r\n\"Port\": 443,\r\n\"Sleeptime\": 60000,\r\n\"Maxgetsize\": 1048576,\r\n\"Jitter\": 0,\r\n\"MaxDns\": 0,\r\n\"PublicKey\": \"30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 a7 38 cd\r\n\"c2_server\": \"5.8.18.242,/pixel.gif\",\r\n\"UserAgent\": \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)\",\r\n\"PostURI\": \"/submit.php\",\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 8 of 24\n\n\"Malleable_C2_Instructions2\": \"\",\r\n\"HttpGetHeader\": \"Cookie\",\r\n\"HttpPostHeader\": \"\\n\\u0026Content-Type: application/octet-streamid\",\r\n\"SpawnTo\": \"\",\r\n\"Pipename\": \"\",\r\n\"KillDateYear\": 0,\r\n\"KillDateMonth\": 0,\r\n\"KillDateDay\": 0,\r\n\"DNSIdle\": \"0.0.0.0\",\r\n\"DNSSleep\": 0,\r\n\"SSH_1\": \"\",\r\n\"SSH_2\": \"\",\r\n\"SSH_3\": \"\",\r\n\"SSH_4\": \"\",\r\n\"SSH_5\": \"\",\r\n\"GetVerb\": \"GET\",\r\n\"PostVerb\": \"POST\",\r\n\"HttpPostChunk\": 0,\r\n\"SpawnTox86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"SpawnTox64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"CryptoScheme\": 0,\r\n\"Proxy\": \"\",\r\n\"ProxyUsername\": \"\",\r\n\"ProxyPassword\": \"\",\r\n\"ProxyType\": \"IE settings\",\r\n\"Deprecated\": 0,\r\n\"LicenseId\": 305419776,\r\n\"bStageCleanup\": 0,\r\n\"bCFGCaution\": 0,\r\n\"KillDate\": 0,\r\n\"TextSectionEnd\": 0,\r\n\"ObfuscateSectionsInfo\": \"\",\r\n\"ProcessInjectStartRWX\": \"PAGE_EXECUTE_READWRITE\",\r\n\"ProcessInjectUseRWX\": \"PAGE_EXECUTE_READWRITE\",\r\n\"ProcessInjectMinAlloc\": 0,\r\n\"ProcessInjectTransformx86\": \"\",\r\n\"ProcessInjectTransformx64\": \"\",\r\n\"UsesCookies\": 1,\r\n\"ProcessInjectExecute\": \"\",\r\n\"ProcessInjectAllocationMethod\": 0,\r\n\"ProcessInjectStub\": \"b5 4a fe 01 ec 6a 75 ed f3 5e 1a 44 f8 bd 39 29\",\r\n\"HostHeader\": \"\"\r\nThe IP and port match what we see in memory:\r\nOffset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner\r\n0xa30e2a5f34d0 TCPv4 REDACTED 60597 5.8.18.242 443 CLOSED 11636 cmd.exe\r\nThe injected cmd.exe, in turn, injected into rundll32.exe.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 9 of 24\n\nCredential Access\r\nIt appears Cobalt Strike was used to access the LSASS memory space. The access granted was 0x1010 \u0026 0x1fffff. These\r\naccess patterns were also seen in previous reports here and here. These values can be used to identify credential access.\r\nPipes were created with the default Cobalt Strike prefix of ‘postex_’\r\nOn one of the domain controllers, an encoded PowerShell command was observed being executed from a Cobalt Strike\r\nbeacon.\r\nThis command, once decoded, revealed the execution of the SessionGopher script.\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:8897/'); Invoke-SessionGopher\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 10 of 24\n\nDiscovery\r\nAfter loading IcedID DLL via the renamed rundll32, the following discovery commands were observed on the beachhead\r\nhost:\r\ncmd.exe /c chcp \u003e\u00262\r\nipconfig /all\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nAs a part of discovery commands, IcedID used WMI to get the list of Anti-Virus product installed on the beachhead host\r\nwith the following command:\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nThe threat actor also ran the following discovery commands via cmd.exe (injected Beacon process):\r\nnet group \"domain admins\" /domain\r\nnet user [REDACTED DOMAIN ADMIN] /domain\r\nnet user Administrator /domain\r\nnet user [REDACTED DOMAIN ADMIN] /domain\r\ncmd.exe /C dir *.txt\r\ncmd.exe /C dir *.dll\r\nAdFind was used for discovery on a domain controller via a batch script named adfind.bat. The script executed the following\r\ncommands:\r\nadfind.exe -f (objectcategory=person) \u003e ad_users.txt\r\nadfind.exe -f objectcategory=computer \u003e ad_computers.txt\r\nadfind.exe -f (objectcategory=organizationalUnit) \u003e ad_ous.txt\r\nadfind.exe -subnets -f (objectCategory=subnet) \u003e ad_subnets.txt\r\nadfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nadfind.exe -gcb -sc trustdmp \u003e ad_trustdmp.txt\r\n7.exe a -mx3 ad.7z ad_*\r\ndel 7.exe adfind* ad_*\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 11 of 24\n\nAfter running this, the threat actor dropped a new batch file ns.bat. This file contained a list of hosts on the network to\r\nperform DNS lookups using nslookup.\r\nC:\\Windows\\system32\\cmd.exe /C ns.bat\r\nnslookup [REDACTED HOST X]\r\n...\r\nnslookup [REDACTED HOST XX]\r\nShortly before beginning the ransomware deployment, the threat actor connected to a backup server and opened the backup\r\nconsole on the host. This was followed by final discovery action on the domain controller with the SoftPerfect Netscan tool\r\nbeing used for a final discovery scan across the network.\r\nLateral Movement\r\nThe threat actor connected to various hosts in the network via RDP tunneled through the beacon process on the beachhead\r\nhost.\r\nWe can find the hostname of the threat actor present in some of the Windows logs, event ID’s 4624, 4776, 4778, and 4779.\r\nWIN-5J00ETD85P5\r\nThe workstation name observed in a 4624 event on the beachhead:\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 12 of 24\n\nSeen again in a 4776 event from a domain controller:\r\nAnd again in 4778 followed by 4779 on the domain controller:\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 13 of 24\n\nDuring the RDP session, 1.dll (Cobalt Strike DLL) was transferred from the beachhead via the Windows File Explorer.\r\nSimilarly, the final files used to execute the ransomware deployment were transferred in the same manner, which can be\r\nseen via the file creation logging process being Explorer.EXE.\r\nOnce k.exe and p.bat, and various other batch scripts were transferred to the compromised domain controller, the threat actor\r\nthen tried to copy k.exe to other machines on the network via copy command executed on the domain controller.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 14 of 24\n\nThis command execution may not have worked properly, or as backup the threat actor ran the copy command again, but this\r\ntime instead of executing cmd /K copy on the domain controller they ran wmic to execute the copy command from the\r\nremote host’s instead.\r\nThis process was repeated for p.bat, this repetition makes it likely that this was scripted out rather than a failed execution of\r\nthe copy process.\r\nFirst, copy command issued on domain controller:\r\nSecond, copy command with WMIC for remote hosts to run the command.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 15 of 24\n\nOnce both k.exe and p.bat were copied to the machines in the network, the threat actor used PsExec.exe to remotely create a\r\nservice named mstdc to run p.bat (p.bat runs k.exe, which encrypts the system based on the Base64 encoded config) via\r\nSystem account.\r\nEach host on the receiving end of PsExec has a ‘.key’ file created. The filename contains the hostname of the machine that\r\ninitiated PsExec.\r\nCollection\r\nAfter AdFind had finished executing, the results were archived utilizing 7-Zip.\r\nCommand and Control\r\nIcedID\r\nOnce entails.exe (rundll32.exe) successfully executed templates544.png on the beachhead host, an outbound connection was\r\nestablished talking to trentonkaizerfak[.]com.\r\nThis downloaded a gzip file for the next IcedID stage. After executing this payload, command and control was established to\r\n5.255.103[.]16\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 16 of 24\n\nIP Port Domain Ja3 Ja3s\r\n5.255.103[.]16 443 pikchayola[.]pics a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\n5.255.103[.]16 443 questdisar[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\nSSL Certificate Details  \r\nCertificate Subject O=Internet Widgits Pty Ltd,ST=Some-State,C=AU,CN=localhost\r\nCertificate Issuer O=Internet Widgits Pty Ltd,ST=Some-State,C=AU,CN=localhost\r\nNot Before 2022-10-09T09:36:33Z\r\nNot After 2023-10-09T09:36:33Z\r\nPublic Algorithm rsaEncryption\r\nCobalt Strike\r\nAfter the injection into cmd.exe on the beachhead host, 1.dll (Cobalt Strike DLL) was created, which later was transferred to\r\nthe domain controller. Then, 1.dll was executed on the domain controller via rundll32.exe and after execution, rundll32.exe\r\nconnected to the command and control server 5.8.18[.]242. This server was observed in a prior case, which also resulted in\r\nNokoyawa ransomware.\r\nIP Port Ja3 Ja3s\r\n5.8.18[.]242 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7\r\nSSL Certificate Details  \r\nCertificate Subject CN=,OU=,O=,L=,ST=,C=\r\nCertificate Issuer CN=,OU=,O=,L=,ST=,C=\r\nNot Before 2015-05-20T18:26:24Z\r\nNot After 2025-05-17T18:26:24Z\r\nPublic Algorithm rsaEncryption\r\nImpact\r\nThe threat actor was seen deploying Nokoyawa ransomware throughout the environment utilizing both PSExec \u0026 WMIC.\r\npsexec.exe \\\\[TARGET IP] -u [DOMAIN]\\[USER] -p \"[PASSWORD]\" -s -d -h -r mstdc -accepteula -nobanner c:\\windows\r\nwmic /node:\"[TARGET IP]\" /user:\"[DOMAIN]\\[USER]\" /password:\"[PASSWORD]\" process call create \"cmd.exe /c c:\\win\r\nThis duplication of execution using both PsExec and WMIC mirrors the doubled commands used to copy files throughout\r\nthe network, indicating scripted execution for redundancy.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 17 of 24\n\nThe batch file (p.bat) is responsible for executing the ransomware binary (k.exe) along with its configurations.\r\n c:\\windows\\temp\\k.exe --config REDACTED\r\nUpon reviewing the configuration provided in the command parameters, this particular ransomware is configured to encrypt\r\nthe network, load hidden drives, and delete volume shadow copies.\r\nFurthermore, the configuration informs the ransomware binary to skip the following directories and file extensions.\r\nExcluded Directories\r\n- Windows\r\n- Program Files\r\n- Program Files (x86)\r\n- AppData\r\n- ProgramData\r\n- System Volum Information\r\nExcluded File Extensions\r\n- .exe\r\n- .dll\r\n- .ini\r\n- .lnk\r\n- .url\r\n- \"\"\r\nRansom Note\r\nNokoyawa.\r\nIf you see this, your files were successfully encrypted.\r\nWe advice you not to search free decryption method.\r\nIt's impossible. We are using symmetrical and asymmetric encryption.\r\nATTENTION:\r\n- Don't rename encrypted files.\r\n- Don't change encrypted files.\r\n- Don't use third party software.\r\nTo reach an agreement we offer you to visit our Onion Website.\r\nHow to open Onion links:\r\n- Download TOR Browser from official website.\r\n- Open and enter this link:\r\nhttp://[REDACTED]\r\n- On the page you will see a chat with the Support.\r\n- Send your first message.\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 18 of 24\n\nThe faster you contact with us the faster you will get a solution.\r\nTimeline\r\nDiamond Model\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 19 of 24\n\nIndicators\r\nAtomic\r\nCobalt Strike:\r\n 5.8.18.242:443\r\nIcedID:\r\n trentonkaizerfak[.]com at 159.89.12.125:80\r\n questdisar[.]com at 5.255.103.16:443\r\n pikchayola[.]pics at 5.255.103.16:443\r\nComputed\r\n1.dll\r\n9740f2b8aeacc180d32fc79c46333178\r\nc599c32d6674c01d65bff6c7710e94b6d1f36869\r\nd3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e\r\n8c11812d-65fd-48ee-b650-296122a21067.zip\r\n4f4231ca9e12aafac48a121121c6f940\r\n7bd217554749f0f3c31957a37fc70d0a86e71fc3\r\nbe604dc018712b1b1a0802f4ec5a35b29aab839f86343fc4b6f2cb784d58f901\r\nadfind.bat\r\nebf6f4683d8392add3ef32de1edf29c4\r\n444c704afe4ee33d335bbdfae79b58aba077d10d\r\n2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04\r\ndemurest.cmd\r\n586fe6d361ef5208fad28c5ff8a4579b\r\nbf4177381235393279e7cdfd45a3fa497b7b8a96\r\n364d346da8e398a89d3542600cbc72984b857df3d20a6dc37879f14e5e173522\r\ndocuments-9771.lnk\r\n51e416c3d3be568864994449cd39caa1\r\nee1c5e9f1257fbda3b174d534d06dddf435d3327\r\n57842fe8723ed6ebdf7fc17fc341909ad05a7a4feec8bdb5e062882da29fa1a8\r\nk.exe\r\n40c9dc2897b6b348da88b23deb0d3952\r\n0f5457b123e60636623f585cc2bf2729f13a95d6\r\n7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6\r\nnetscan.exe\r\n16ef238bc49b230b9f17c5eadb7ca100\r\na5c1e4203c740093c5184faf023911d8f12df96c\r\nce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f\r\np.bat\r\n385d21c0438f5b21920aa9eb894740d2\r\n5d2c17799dfc6717f89cd5f63951829aed038041\r\ne351ba5e50743215e8e99b5f260671ca8766886f69d84eabb83e99d55884bc2f\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 20 of 24\n\npsexec.exe\r\nc590a84b8c72cf18f35ae166f815c9df\r\nb97761358338e640a31eef5e5c5773b633890914\r\n57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4\r\npimpliest_kufic.png\r\n49524219dbd2418e3afb4e49e5f1805e\r\nb8cb71c48a7d76949c93418ddd0bcae587bef6cc\r\nc6294ebb7d2540ee7064c60d361afb54f637370287983c7e5e1e46115613169a\r\nredacted-invoice-10.31.22.html\r\nc8bdc984a651fa2e4f1df7df1118178b\r\nf62b155ab929b7808de693620d2e9f07a9293926\r\n31cd7f14a9b945164e0f216c2d540ac87279b6c8befaba1f0813fbad5252248b\r\ntemplates544.png\r\n14f37c8690dda318f9e9f63196169510\r\n306e4ede6c7ea75ef5841f052f9c40e3a761c177\r\ne71772b0518fa9bc6dddd370de2d6b0869671264591d377cdad703fa5a75c338\r\nDetections\r\nNetwork\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET INFO RDP - Response To External Host\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nET POLICY PsExec service created\r\nET POLICY SMB Executable File Transfer\r\nET POLICY SMB2 NT Create AndX Request For a .bat File\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)\r\nET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)\r\nSigma\r\nDFIR Report Repo:\r\nCHCP CodePage Locale Lookup dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f\r\nAdFind Discovery 50046619-1037-49d7-91aa-54fc92923604\r\nSigma Repo:\r\nBad Opsec Defaults Sacrificial Processes With Improper Arguments a7c3d773-caef-227e-a7e7-c2f13c622329\r\nChange PowerShell Policies to an Insecure Level 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180\r\nCMD Shell Output Redirect 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a\r\nCobaltStrike BOF Injection Pattern 09706624-b7f6-455d-9d02-adee024cee1d\r\nFirst Time Seen Remote Named Pipe 52d8b0c6-53d6-439a-9e41-52ad442ad9ad\r\nISO File Created Within Temp Folders 2f9356ae-bf43-41b8-b858-4496d83b2acb\r\nISO Image Mount 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073\r\nNew Process Created Via Wmic.EXE 526be59f-a573-4eea-b5f7-f0973207634d\r\nNet.exe Execution 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\r\nNon Interactive PowerShell Process Spawned f4bbd493-b796-416e-bbf2-121235348529\r\nPotential Defense Evasion Via Rename Of Highly Relevant Binaries 0ba1da6d-b6ce-4366-828c-18826c9de23e\r\nPotential Execution of Sysinternals Tools 7cccd811-7ae9-4ebe-9afd-cb5c406b824b\r\nPotential Recon Activity Via Nltest.EXE 5cc90652-4cbd-4241-aa3b-4b462fa5a248\r\nProcess Creation Using Sysnative Folder 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab\r\nPsexec Execution 730fc21b-eaff-474b-ad23-90fd265d4988\r\nRundll32 Execution Without DLL File c3a99af4-35a9-4668-879e-c09aeb4f2bdf\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 21 of 24\n\nShare And Session Enumeration Using Net.EXE 62510e69-616b-4078-b371-847da438cc03\r\nSMB Create Remote File Admin Share b210394c-ba12-4f89-9117-44a2464b9511\r\nSuspicious Call by Ordinal e79a9e79-eb72-4e78-a628-0e7e8f59e89c\r\nSuspicious Copy From or To System32 fff9d2b7-e11c-4a69-93d3-40ef66189767\r\nSuspicious Encoded PowerShell Command Line ca2092a1-c273-4878-9b4b-0d60115bf5ea\r\nSuspicious Execution of Hostname 7be5fb68-f9ef-476d-8b51-0256ebece19e\r\nSuspicious Group And Account Reconnaissance Activity Using Net.EXE d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\r\nSuspicious Manipulation Of Default Accounts Via Net.EXE 5b768e71-86f2-4879-b448-81061cbae951\r\nSuspicious Network Command a29c1813-ab1f-4dde-b489-330b952e91ae\r\nSuspicious Process Created Via Wmic.EXE 3c89a1e8-0fba-449e-8f1b-8409d6267ec8\r\nSuspicious Rundll32 Without Any CommandLine Params 1775e15e-b61b-4d14-a1a3-80981298085a\r\nWMIC Remote Command Execution 7773b877-5abb-4a3e-b9c9-fd0369b59b00\r\nWmiPrvSE Spawned A Process d21374ff-f574-44a7-9998-4a8c8bf33d7d\r\nCobaltStrike Named Pipe d5601f8c-b26f-4ab0-9035-69e11a8d4ad2\r\nSuspicious Execution of Systeminfo 0ef56343-059e-4cb6-adc1-4c3c967c5e46\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/14335/14335.yar#L184-L203\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar#L12-L43\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar#L45-L76\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/1013/1013.yar#L72-L103\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/18543/18543.yar\r\nMITRE\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 22 of 24\n\nPsExec - S0029\r\nAdFind - S0552\r\nNet - S0039\r\nSysteminfo - S0096\r\nipconfig - S0100\r\nNltest - S0359\r\nMalicious File - T1204.002\r\nScheduled Task - T1053.005\r\nWeb Protocols - T1071.001\r\nData Encrypted for Impact - T1486\r\nLSASS Memory - T1003.001\r\nSystem Network Configuration Discovery - T1016\r\nSystem Information Discovery - T1082\r\nSystem Language Discovery - T1614.001\r\nRemote System Discovery - T1018\r\nLocal Groups - T1069.001\r\nLocal Account - T1087.001\r\nDomain Trust Discovery - T1482\r\nDomain Groups - T1069.002\r\nDomain Account - T1087.002\r\nNetwork Share Discovery - T1135\r\nSecurity Software Discovery - T1518.001\r\nRemote Desktop Protocol - T1021.001\r\nLateral Tool Transfer - T1570\r\nSMB/Windows Admin Shares - T1021.002\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 23 of 24\n\nMatch Legitimate Name or Location - T1036.005\r\nProcess Injection - T1055\r\nRundll32 - T1218.011\r\nArchive Collected Data - T1560\r\nHTML Smuggling - T1027.006\r\nValid Accounts - T1078\r\nCredentials in Files - T1552.001\r\nCredentials in Registry - T1552.002\r\nPowerShell - T1059.001\r\nWindows Command Shell - T1059.003\r\nWindows Management Instrumenation - T1047\r\nSpearphishing Attachement - T1566.001\r\nDFIR Report Tracking\r\nSoftPerfect Network Scanner\r\nCobalt Strike\r\nIcedID\r\nInternal case # 18543\r\nSource: https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\r\nPage 24 of 24\n\n https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ \nThe faster you contact with us the faster you will get a solution.\nTimeline \nDiamond Model \n Page 19 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/" ], "report_names": [ "html-smuggling-leads-to-domain-wide-ransomware" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434934, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b2014c2445876f947baa40b93241789301f29474.pdf", "text": "https://archive.orkl.eu/b2014c2445876f947baa40b93241789301f29474.txt", "img": "https://archive.orkl.eu/b2014c2445876f947baa40b93241789301f29474.jpg" } }