BlackSuit Ransomware

Key Takeaways

  • In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware.
  • The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools.
  • Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server.
  • Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions.
  • Three rules were added to our private ruleset related to this case.

An audio version of this report can be found on SpotifyAppleYouTubeAudible, & Amazon

The DFIR Report Services

  • Private Threat Briefs: Over 20 private DFIR reports annually.
  • Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.
  • All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.
  • Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples.
  • DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.

Contact us today for pricing or a demo!

Table of Contents:

Case Summary

The intrusion began in December 2023, with the initial sign being the execution of an unusually large-sized Cobalt Strike beacon. After the beacon’s execution, there was no immediate follow-up activity. The initial access delivery method for the intrusion remains unclear, as there was no evidence available. The Cobalt Strike C2 traffic beaconed to IP addresses managed by CloudFlare, which acted as proxy server between the victim network and their team server.

Approximately six hours after the initial execution, the threat actor used Windows utilities, such as systeminfo and nltest to perform enumeration on the system and environment. After, they conducted AS-REP Roasting and Kerberoasting attacks against two of the domain controllers, utilizing Rubeus, which was executed in memory via Cobalt Strike. Following this, the threat actor ran Sharphound in memory through the Cobalt Strike beacon, and saved the output to disk.

Around ten minutes after the initial discovery, the threat actor carried out their first lateral movement. They transferred a Cobalt Strike beacon via SMB and executed it through a service to compromise another workstation. On that workstation, they accessed LSASS to obtain credentials from memory. Throughout the second day of the intrusion, the threat actor deployed multiple Cobalt Strike beacons on workstations and servers and also used RDP for further lateral movement.

The threat actor deployed multiple SystemBC executables on one of the file servers. The second executable, established persistence through a registry run key and opened a new command and control channel. After a busy second day of activity, the intrusion went silent. On the seventh day, the Cobalt Strike command and control domain stopped using CloudFlare and switched to an Amazon AWS IP address, for the remainder of the intrusion.

On the eighth day, the threat actors deployed a new PowerShell Cobalt Strike beacon on a domain controller, this time pointing to a separate command and control server. After two days of inactivity, the intrusion resumed with more Cobalt Strike beacons being distributed, along with several RDP logins. More discovery activity was noticed when Sharphound was executed again. The threat actor attempted multiple times to run ADFind but failed in each instance.

Five days later, the threat actor returned to finalize their objectives. This time, ADFind was executed successfully, followed by the execution of the PowerShell script Get-DataInfo.ps1. The final step was the deployment of the BlackSuit ransomware binary, qwe.exe, which was distributed via SMB to remote systems through the C$ share. The attacker then manually connected to these systems using RDP to execute the ransomware. Upon execution, the ransomware used vssadmin to delete shadow copies before encrypting the hosts. The Time to Ransomware (TTR) was just under 328 hours, spanning 15 calendar days, with files being encrypted and the BlackSuit ransom note left on desktops and folders across the systems.

If you would like to get an email when we publish a new report, please subscribe here. Follow us on LinkedIn for additional insights and notifications!

Analysts

Analysis and reporting completed by @MetallicHack, @yatinwad, and @malforsec.

Initial Access

The earliest sign of the threat actor’s presence was the execution of a Cobalt Strike beacon, identified as RtWin64.exe. Despite thorough investigation, the initial access point for the beacon’s deployment could not be determined.

Execution

Cobalt Strike PsExec

Cobalt Strike served as the primary tool utilized by the threat actor, with a particular focus on its capabilities that mimic Sysinternals PsExec. These features, including psexec and psexec_psh, enable remote process execution across systems. The psexec module functions by uploading a binary to the target system, then creating and launching a Windows service to execute the file.

The eventID 7045 in Windows System logs shows the services created on the system:

The psexec command spawned a rundll32.exe process.

The psexec_psh module doesn’t copy a binary to the target, but instead executes a PowerShell one-liner. The pattern it uses is %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand …

Persistence

Registry Run Key

To ensure persistent access to the environment, the threat actor created a run key named “socks5” within the Current User registry hive. The registry key’s configuration indicated that PowerShell would be used to launch a SystemBC backdoor named socks32.exe.

Sysmon eventID 13 (Registry value set) shows changes to a registry key value:

One interesting thing to mention is that the registry value name socks5 created under the Run key is hard coded.

The data is a string (type REG_SZ) which starts with powershell.exe windowstyle -hidden Command concatenated with the current executable name, which is obtained using GetModuleFileNameA with a null hModule first parameter.

Scheduled Task

SystemBC possesses the ability to create scheduled tasks using COM, as demonstrated in the following example. While other reports have noted SystemBC utilizing this feature, it likely wasn’t employed in our case, as no evidence of scheduled task creation was observed during our investigation.

It first uses the function CoCreateInstance to create an instance of an ITaskScheduler object and then call the method NewWorkItem to create a scheduled task.

Privilege Escalation

On a workstation that the threat actor moved laterally to, we observed use of named pipes.

Usually, when observing this behavior from Cobalt Strike, this tends to be usage of the getsystem command to elevate privileges; however, in this case we observed the parent process to not be services.exe and the threat actor was already running as SYSTEM. This activity was seen in correlation to pass-the-hash behavior listed in Lateral Movement. The threat actor changed to the context of a domain administrator and then was observed moving laterally again using Cobalt Strike, so we attribute this activity to pass-the-hash command execution activity rather than getsystem.

Defense Evasion

Modify Registry

The threat actor employed an encoded PowerShell command to modify the registry, enabling Remote Desktop Protocol (RDP) access to a file server.

Setting the registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” DenyTSConnections to 0 will allow terminal server connections to the host.

Process Injection

Given the threat actor’s extensive use of Cobalt Strike beacons, we anticipated the use of process injection as a method of evading detection by hiding within legitimate processes.

Upon analyzing process injections and access patterns from Cobalt Strike-generated processes, we successfully identified the suspicious activity we were searching for.

These injections can then be confirmed using things like YARA memory scanning:

Credential Access

The threat actor undertook multiple actions to obtain valid credentials, primarily leveraging Rubeus as the key tool. During our investigation, we discovered that Rubeus had been loaded into mstsc.exe—a process previously injected by Cobalt Strike—functioning as a CLR module.

AS-REP roasting

AS-REP roasting was the first credential access activity performed by the threat actor. This was done with Rubeus on the beachhead host targeting a domain controller.

Rubeus writing the result of AS-REP roasting output to a file:

Indications of AS-REP roasting can be found by looking for windows eventID 4768 on the target domain controller. The request is for Authentication tickets(TGT) with “Pre-Authentication Type” set to 0, meaning no password is required.

A lot of Kerberos Authentication Tickets were requested during AS-REP Roasting:

Kerberoasting

The threat actor used Rubeus to conduct a Kerberoasting attack. During this period of time, we observed numerous Kerberos ticket requests, specifically using encryption type 0x17, which corresponds to RC4 encryption. These RC4 encryption requests coincided with the execution of Rubeus and targeted multiple accounts across the domain

Rubeus executed in memory by Cobalt Strike creating kerberoast output:

EventID 4769 on a domain controller showing request for tickets with weak encryption:

LSASS memory access

The threat actor accessed LSASS memory on a workstation with a specific access request of 0x1010, where 0x0010 is necessary to read memory using ReadProcessMemory. This request originated from a process that had been injected with Cobalt Strike.

Sysmon eventID 10 shows mstsc.exe accessing lsass with the access mask 0x1010

Discovery

Discovery plays a critical role for the threat actor in assessing the environment they have infiltrated. Throughout the intrusion, the attacker conducted discovery activities across multiple systems, gathering valuable intelligence on the network and its assets.

Hands On Keyboard

Discovery began on the beachhead host approximately six hours after initial access. The first command executed was “systeminfo,” aimed at gathering details about the local system. Shortly after, the command “nltest /dclist” was issued to identify the domain controllers within the environment.

Sysmon eventID 1 shows evidence of running the commands:

Sharphound

Once the threat actor identified the domain controllers, they wasted no time and promptly loaded Sharphound into memory via Cobalt Strike. This allowed them to conduct further discovery activities within the environment, expanding their reconnaissance efforts.

We have some proof showing mstsc.exe loading Sharphound as a CLR(Common Language Runtime) module. mstsc.exe is the child process of Cobalt Strike beacon RtWin64.exe. The below screenshot taken from the EDR telemetry depicts that:

Output from Sharphound was stored in “C:\Windows\Temp\Dogi\”. The recurring use of this directory aligns with behaviors documented in a different report, BazarCall to Conti Ransomware chain. This suggests a potential operational signature or TTP (Tactics, Techniques, and Procedures) common to this threat actor group or its operators. Based on the output files created, `it looks like it was run in default mode as described below.

Sysmon eventID 11 showing the files created:

Sharphound appeared to be running in its default mode, which involves enumerating local group memberships by querying the Windows Security Accounts Manager (SAM) database remotely through the samr pipe on the target host. This pipe is exposed via the IPC$ share, and corresponding activity can be detected by monitoring Windows security events with event ID 5145. A similar approach is used to discover logged-on users; however, in this case, Sharphound communicates with the srvsvc pipe, utilizing the Server Service Remote Protocol.

Windows eventlog eventID 5145 showing Sharphound enumeration activity:

When Sharphound enumerates the Active Directory through LDAP searches, it performs an excess amount of queries.

Example of Sharphound LDAP searches:

"(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913))", "(BuildString("(primarygroupid=*)"

Sharphound executed in memory by Cobalt Strike, performing LDAP queries:

Sharphound was initially executed on the beachhead host. Later in the intrusion, the threat actor ran Sharphound two more times, this time on a domain controller. The output from the first run was saved to “C:\Windows\System32\”, while the second run’s results were directed to “C:\Perflogs\”.

Again Sysmon eventID 11 caught the files created by Sharphound:

Windows Security eventID 4799 shows Sharphound performing discovery on local security-enabled groups:

More information on how Sharphound functions can be found here:

 

More ways to detect LDAP queries generally in this great article here:

 

ADFind

ADFind, a tool frequently used by threat actors, was also employed in this intrusion to conduct enumeration and discovery. After gaining access to the second domain controller, the threat actor created “ADFind.exe” and “adf.bat” in an attempt to gather further Active Directory information.

Sysmon eventID 11 showing creation of ADFind.exe and adf.bat by Cobalt Strike:

A few seconds after creation of the files, the threat actor was eager to collect the desired information and executed adf.bat via cmd.exe:

No additional commands were observed after each batch file execution. This indicates the operator may have encountered difficulties, as the batch file was executed twice within just over a minute of the initial attempt, suggesting potential issues or missteps during execution.

Sysmon eventID 11 shows the creation of the files with the output of ADFind:

It’s possible that the files ended up being empty, causing the threat actor to reconsider their approach. About 15 minutes later, the operator tried running ADFind.exe directly from the command line, likely to verify whether the tool would execute properly.

After failing to determine the cause of the issue, the threat actor stayed quiet until the next day. The operator likely made an error by trying to run “adf.bat” from “C:\Windows\System32\” when both “adf.bat” and “ADFind.exe” were actually located in “C:\Perflogs\adf\". Because of this, “ADFind.exe” probably couldn’t be found as an executable in the wrong directory, leading to the error.

After several days, the threat actor decided to give ADFind another try. This time, on the file server the operator was successful in running adf.bat correctly to find ADFind.exe and perform the desired discovery activity:

Sysmon eventID 1 showing threat actor running adf.bat:

Resulting in several adfind.exe process events:

 

Get-DataInfo.ps1

The threat actor also used a PowerShell script to enumerate local systems. Together with a batch script called “start.bat” the threat actor ran Get-DataInfo.ps1 on both a domain controller and a different servers in the environment. We have seen this PowerShell script used several times before. Interestingly, PowerShell was initiated using the start.bat file. However, the start.bat file did not work as intended and passed the “method” parameter to the Get-DataInfo.ps1 script, which is not recognized as a valid parameter. As a result, it ran in default mode. This behavior may have confused the operator at the keyboard, as well as the batch script that was run several times in a row on both servers.

Sysmon EventID 1 shows start.bat executes Get-DataInfo.ps1 with parameter method:

 

The start.bat script tries to set a variable called method to the discovery method chosen by the user if the method is not typed on the command line:

The issue with the script arises from the fact that the variable “method” does not receive the user-chosen value until after the IF condition is complete. Additionally, the variable must be referenced as %method% to capture the user input correctly. This oversight explains why the PowerShell command initiating Get-DataInfo.ps1 includes “method” as a parameter on the command line:

The below will end up running the Get-DataInfo.ps1 script in default mode:

The default mode will run the Test-LHost, Get-DiskInfo and Get-Software functions in the script before calling the last function, Compress-Result:

Sysmon eventID 1 showing the execution:

Sysmon eventID 1 process create showing several runs of start.bat:

 

Windows Utilities

The threat actor performed several discovery commands using various Windows utilities at various times during the intrusion.

C:\Windows\system32\\cmd.exe /C systeminfo	
C:\Windows\system32\cmd.exe /C net group "domain admins" /domain
C:\Windows\system32\cmd.exe /C nltest /dclist <domainname redacted>
nltest  /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe /C net group "enterprise admins" /domain
C:\Windows\system32\cmd.exe /C ping <hostname redacted>
C:\Windows\system32\taskmgr.exe /4
C:\Windows\system32\cmd.exe /C All windows Import-Module ActiveDirectory Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostName, OperatingSystem, LastLogonDate, IPv4Address | Export-CSV C:\Users\AllWindows.csv -NoTypeInformation -Encoding UTF8
C:\Windows\system32\cmd.exe /C route print
C:\Windows\system32\cmd.exe /C ping http://<IP redacted>/

Administrator Consoles

On the final day of the intrusion, the threat actor accessed the administrative consoles for both DNS and Group Policy. Shortly after, they proceeded to deploy ransomware across the environment.

C:\Windows\system32\mmc.exe C:\Windows\system32\dsa.msc 
C:\Windows\system32\mmc.exe C:\Windows\System32\gpedit.msc

Lateral Movement

Pass the hash

An examination of logon activity within the environment revealed evidence pointing to pass-the-hash attacks. Specifically, Windows Security logs with event ID 4624, showing logon type 9 and the Logon Process listed as “seclogo,” serve as solid indicators of the pass-the-hash technique employed by the threat actor.

The threat actor used three main methods for lateral movement. First, Cobalt Strike utilized SMB ADMIN$ shares to move beacons laterally, along with distributing both SMB and HTTPS beacons. Secondly, they used Remote Desktop Protocol to access a file server and a backup server, where they performed discovery activity. Lastly, the threat actor used the hidden SMB share C$ to distribute the ransomware executable to strategic endpoints within the infrastructure.

A domain controller was used as the main pivot point by the threat actor.

Overview of lateral movement involving SMB ADMIN$ shares and RDP:

To investigate access to the SMB ADMIN$ share, the Windows event log proves invaluable. By examining System event ID 5145, which indicates “A network share object was checked…,” We can track the movement of beacons by the threat actor across the network, gaining essential insight into their lateral movements and activities.

The RDP Activity can be identified with windows security eventID 4624 where the logon type equals 10 RemoteInteractive – “A user logged on to this computer remotely using Terminal Services or Remote Desktop.”

Windows security event ID 5145 was used to demonstrate lateral movement once again, showing SMB C$ share usage.

Cobalt Strike SMB beacons, used for lateral movement, were distributed on the beachhead and on a domain controller:

The configuration of the SMB beacons:

xorkey b'.' 2e
0x0001 payload type                     0x0001 0x0002 2 windows-beacon_smb-bind_pipz
0x0002 port                             0x0001 0x0002 4444
0x0003 sleeptime                        0x0002 0x0004 10000
0x0004 maxgetsize                       0x0002 0x0004 2048576
0x0005 jitter                           0x0001 0x0002 0
0x0006 maxdns                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100b8783383addbd675fb86964aae676bcaf31237e8cb4edf428d39816f41810d852974f73e9ae1e7fd525c02221b9761a8f157db0728039c1103f31bb8adae4b4fed45f670943616de985e5dfc034982f3eb8ff643db4433fb59f2a45058eeed09af9881931dd32d999279172b79739f60628e57c311f4234fe65ea8eab3b7d19b020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 (NULL ...)
0x0009 useragent                        0x0003 0x0080 (NULL ...)
0x000a post-uri                         0x0003 0x0040 (NULL ...)
0x000b Malleable_C2_Instructions        0x0003 0x0100
  Transform Input: [7:Input]
0x000c http_get_header                  0x0003 0x0100
0x000d http_post_header                 0x0003 0x0100
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\SyncHost.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\mstsc.exe'
0x000f pipename                         0x0003 0x0080 '\\\\.\\pipe\\WkSvcPipeMgr_JORW2e'
0x001f CryptoScheme                     0x0001 0x0002 0
0x0037 EXIT_FUNK                        0x0001 0x0002 0
0x0028 killdate                         0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 674054486 Stats uniques -> ips/hostnames: 60 publickeys: 47
0x0024 deprecated                       0x0003 0x0020 'bfnETSwzb1Xsa2g6gr+auA=='
0x0026 bStageCleanup                    0x0001 0x0002 1
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0029 textSectionEnd                   0x0002 0x0004 1
0x002a ObfuscateSectionsInfo            0x0003 0x0028 '\x00\x10\x00\x00\x95`\x02\x00\x00p\x02\x00À\n\x03\x00\x00\x10\x03\x00\x00Í\x03\x00\x00Ð\x03\x00lî\x03'
0x003a TCP_FRAME_HEADER                 0x0003 0x0080 '\x00\x0fk\x1d^ôá±\x81Bª\x1da'
0x0039 SMB_FRAME_HEADER                 0x0003 0x0080 '\x00\x1ek\x01oÿ>ñëb±\x1b ×\x85\x8e¥X\x1eOQË©¶¦\x13ø1'
0x002b process-inject-start-rwx         0x0001 0x0002 4 PAGE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 32 PAGE_EXECUTE_READ
0x002d process-inject-min_alloc         0x0002 0x0004 13891
0x002e process-inject-transform-x86     0x0003 0x0100 '\x00\x00\x00U\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00PX\x0f\x1fD\x00\x00f\x90f\x90\x90\x90f\x0f\x1fD\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00\x0f\x1fD\x00\x00PXf\x0f\x1fD\x00\x00\x0f\x1fD\x00\x00\x00\x00\x00KPX\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00PX\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00f\x90\x90\x0f\x1fD\x00\x00\x0f\x1f\x80\x00\x00\x00\x00f\x90\x90\x90PXPX\x0f\x1fD\x00\x00f\x90\x0f\x1fD\x00\x00\x90\x0f\x1f\x00\x0f\x1fD\x00\x00\x0f\x1fD'
0x002f process-inject-transform-x64     0x0003 0x0100 '\x00\x00\x00\x16f\x90f\x0f\x1fD\x00\x00f\x90\x0f\x1f\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x00\x00\x00Zf\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f\x1fD\x00\x00\x0f\x1f\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00f\x0f\x1fD\x00\x00\x90f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD\x00\x00\x0f\x1f\x80\x00\x00\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@'
0x0035 process-inject-stub              0x0003 0x0010 'ÅNí/½Ée\\\x0c\x13U\x0f\x04Ç,('
0x0033 process-inject-execute           0x0003 0x0080 '\x06\x04\x07\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0030 DEPRECATED_PROCINJ_ALLOWED       0x0001 0x0002 1
0x0010 killdate_year                    0x0001 0x0002 0
0x004a                                  0x0003 0x0020 'ÌѶ\x8f½ÉeDc~buq®FJô\x16\x9ccß\x82+\td\x7ff_J°\x11\x15'
0x0000
Guessing Cobalt Strike version: 4.4 (max 0x004a)

The threat actor’s use of RDP and tunnels via SystemBC left behind crucial artifacts that helped identify their activities. Notably, we detected two hostnames, “DESKTOP-0MEMSEA” and “DESKTOP-BIFFSC7”, which were used during the intrusion. These artifacts appeared in various logs, including Sysmon event ID 24 (clipboard change), Windows Security event ID 4624 (logon), event ID 4778 (terminal session reconnect), and event ID 4779 (terminal server disconnect), providing multiple points of evidence linking the threat actor’s presence across the environment.

Here is an overview of the RDP sessions where the threat actor used these two hosts:

 

Collection

Archiving

The threat actor used 7z to archive data output from running the Get-DataInfo.ps1 PowerShell script.

Sysmon eventID 1 showing execution of 7z.exe archiving data:

Looking for interesting files

In their pursuit of valuable data, the threat actor browsed through file systems, selectively opening files they deemed interesting. Documents containing passwords, financial information, and other sensitive data were specifically targeted, as these types of files typically hold high value for the intruders.

Sysmon eventID 1 showing Notepad and Wordpad used to open and look at files:

 

Command and Control

For command and control, the threat actor used two main tools, Cobalt Strike and SystemBC.

Cobalt Strike

Overview of Cobalt Strike traffic beaconing pattern over intrusion:

The initial Cobalt Strike beacon, delivered via RtWin64.exe on the beachhead host, maintained a continuous command and control domain at svchorst[.]com throughout the entire infection. The IP address associated with the domain changed over time, and the communication process also shifted as queries were injected into different processes by RtWin64.exe.

To further obfuscate its presence, the threat actor initially routed the Cobalt Strike command and control traffic through CloudFlare’s CDN service, effectively attempting to hide in plain sight by blending into legitimate web traffic.

The 104[.]21.76.140 and 172[.]67.196.25 addresses belonged to Cloudflare.

Later in the intrusion, the command and control (C2) server moved away from CloudFlare, and subsequently, the domain resolved to an AWS IP address.

DNS queries performed for svchorst[.]com:

Network connections to svchorst[.]com:

Using Didier Steven’s great tool 1768.py, we successfully extracted the configuration of the Cobalt Strike beacon, which validated the host artifacts discovered on the beachhead host.

xorkey b'.' 2e
0x0001 payload type                     0x0001 0x0002 8 windows-beacon_https-reverse_https
0x0002 port                             0x0001 0x0002 443
0x0003 sleeptime                        0x0002 0x0004 50408
0x0004 maxgetsize                       0x0002 0x0004 4103260
0x0005 jitter                           0x0001 0x0002 30
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100b8783383addbd675fb86964aae676bcaf31237e8cb4edf
428d39816f41810d852974f73e9ae1e7fd525c02221b9761a8f157db0728039c1103f31bb8adae4b4fed45f670943616de985e5dfc034982f3eb8ff643db4433fb59f2a45058eeed09af9881931dd3
2d999279172b79739f60628e57c311f4234fe65ea8eab3b7d19b0203010001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 'svchorst.com,/shiatzu/v2.41'
0x0043 DNS_STRATEGY                     0x0001 0x0002 0
0x0044 DNS_STRATEGY_ROTATE_SECONDS      0x0002 0x0004 -1
0x0045 DNS_STRATEGY_FAIL_X              0x0002 0x0004 -1
0x0046 DNS_STRATEGY_FAIL_SECONDS        0x0002 0x0004 -1
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\SyncHost.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\mstsc.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 674054486
0x0024 deprecated                       0x0003 0x0020 'bfnETSwzb1Xsa2g6gr+auA=='
0x0026 bStageCleanup                    0x0001 0x0002 1
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0047 MAX_RETRY_STRATEGY_ATTEMPTS      0x0002 0x0004 0
0x0048 MAX_RETRY_STRATEGY_INCREASE      0x0002 0x0004 0
0x0049 MAX_RETRY_STRATEGY_DURATION      0x0002 0x0004 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Sa
fari/537.36'
0x000a post-uri                         0x0003 0x0040 '/unobservedly/v10.78'

In the rest of the infrastructure, two distinct types of Cobalt Strike beacons were deployed: HTTPS beacons and SMB beacons. The HTTPS beacons appeared to communicate with three different domains—wq[.]regsvcast[.]com, as[.]regsvcast[.]com, and zx[.]regsvcast[.]com—though, in reality, only wq[.]regsvcast[.]com was actively used, resolving to IP address 147.78.47[.]178. This Cobalt Strike server was tracked as active by the DFIR Threat Feeds from December 21st through Jan 6th, 2024.

Sysmon event ID 22 helped document the DNS queries related to the *regsvcast[.]com domains, providing further insight into the network activity tied to the Cobalt Strike infrastructure.

 

Sysmon event ID 3 logs every network connection made, provided it’s not disabled in the Sysmon configuration. This can be particularly useful, as some EDR solutions apply rate limits to this type of artifact.

Since Cobalt Strike beacons can generate significant traffic, the volume of network connections for each beacon can be observed in the final column of these logs, highlighting the frequency and noisiness of the communication between beacons and command and control infrastructure.

Below is the configuration of the beacon from DC Y which communicated encrypted over https on port 443:

File: b7bcee8.exe
payloadType: 0x00002810
payloadSize: 0x00040405
intxorkey: 0xe43ebc19
id2: 0x00000000
MZ header found position 9
Config found: xorkey b'.' 0x0003ac30 0x000403fc
0x0001 payload type                     0x0001 0x0002 8 windows-beacon_https-reverse_https
0x0002 port                             0x0001 0x0002 443
0x0003 sleeptime                        0x0002 0x0004 63612
0x0004 maxgetsize                       0x0002 0x0004 2796542
0x0005 jitter                           0x0001 0x0002 39
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a208a5996fa9e52ff4f19fb148b97176ab0a7e2cfc1d59fcc661e4d1afad0c6636fc952b6cab7b88bc62e7c5ad34441750e74eab69ab68acc39f005cfd315edda934ad438245830fd29688df4a4f2b89154cb81ea126d04804015e2660f55136d1cce8fb14126d1677ac0b38746b7a5543753c53dae05552e142d8ba74c34569020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 'qw.regsvcast.com,/hr,as.regsvcast.com,/hr,zx.regsvcast.com,/hr'
0x0043 DNS_STRATEGY                     0x0001 0x0002 0
0x0044 DNS_STRATEGY_ROTATE_SECONDS      0x0002 0x0004 -1
0x0045 DNS_STRATEGY_FAIL_X              0x0002 0x0004 -1
0x0046 DNS_STRATEGY_FAIL_SECONDS        0x0002 0x0004 -1
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\runonce.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\runonce.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 1580103824 Stats uniques -> ips/hostnames: 316 publickeys: 148
0x0026 bStageCleanup                    0x0001 0x0002 1
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'
0x000a post-uri                         0x0003 0x0040 '/rw'
0x000b Malleable_C2_Instructions        0x0003 0x0100
  Transform Input: [7:Input,4,2:338,3,11]
   Print
   Remove 338 bytes from begin
   BASE64
   NETBIOS uppercase
0x000c http_get_header                  0x0003 0x0200
  Const_header Connection: close
  Const_header Accept-Encoding: br
  Build Metadata: [7:Metadata,13,3,2:wordpress_logged_in=,6:Cookie]
   BASE64 URL
   BASE64
   Prepend wordpress_logged_in=
   Header Cookie
0x000d http_post_header                 0x0003 0x0200
  Const_header Connection: close
  Const_header Accept-Language: en-US
  Const_header Content-Type: text/plain
  Build Output: [7:Output,3,3,4]
   BASE64
   BASE64
   Print
  Build SessionId: [7:SessionId,3,2:__session__id=,6:Cookie]
   BASE64
   Prepend __session__id=
   Header Cookie
0x0036 HostHeader                       0x0003 0x0080 (NULL ...)
0x0032 UsesCookies                      0x0001 0x0002 1
0x0023 proxy_type                       0x0001 0x0002 2 IE settings
0x003a TCP_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0039 SMB_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0037 EXIT_FUNK                        0x0001 0x0002 0
0x0028 killdate                         0x0002 0x0004 0
0x0029 textSectionEnd                   0x0002 0x0004 179426
0x002a ObfuscateSectionsInfo            0x0003 0x0028 '\x00À\x02\x00â¸\x03\x00\x00À\x03\x00H\x92\x04\x00\x00\xa0\x04\x00dÀ\x04\x00\x00Ð\x04\x00hß\x04'
0x002b process-inject-start-rwx         0x0001 0x0002 4 PAGE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 32 PAGE_EXECUTE_READ
0x002d process-inject-min_alloc         0x0002 0x0004 18046
0x002e process-inject-transform-x86     0x0003 0x0100 '\x00\x00\x00\x05\x90\x90\x90\x90\x90'
0x002f process-inject-transform-x64     0x0003 0x0100 '\x00\x00\x00\x05\x90\x90\x90\x90\x90'
0x0035 process-inject-stub              0x0003 0x0010 '"+\x8f\'Ûߺ\x8dÝU\x9eì¢~¦H'
0x0033 process-inject-execute           0x0003 0x0080 '\x01\x04\x03'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000
Guessing Cobalt Strike version: 4.3 (max 0x0046)
Sanity check Cobalt Strike config: OK
Public key config entry found: 0x0003ac65 (xorKey 0x2e) (LSFIF: b'././.,.&.,./.,/')
Public key header found: 0x0003ac6b (xorKey 0x2e) (LSFIF: b'././.,.&.,./.,/')

One C2 connection from the Cobalt Strike beacons stands out from the rest: it originates from PowerShell but communicates over HTTP to port 80.

Communicating in clear text gives us the opportunity to look at what is going on. The threat actor used PowerShell to perform the download:

Using Wireshark to view the exact HTTP query to the C2 server:

A PowerShell script was downloaded that decodes a Base64-encoded blob using `FromBase64String`. At the end of the script, the decoded data is decompressed, which can easily be done using tools like `gunzip`. This behavior is highly indicative of a Cobalt Strike PowerShell stager. Upon decoding the Base64 blob, we uncovered another embedded PowerShell script.

This PowerShell script decodes another base64 blob, but as we can see it also performs XOR operations on the bytes. XOR with decimal 35(0x23) is a well known key for Cobalt Strike PowerShell stagers.

After decoding the final base64 blob we get the Cobalt Strike beacon and can get the configuration (as the configuration is the same on all HTTP beacons the config is extracted with csce):

{
  "beacontype": [
    "HTTPS"
  ],
  "sleeptime": 63612,
  "jitter": 39,
  "maxgetsize": 2796542,
  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",
  "license_id": 1580103824,
  "cfg_caution": false,
  "kill_date": null,
  "server": {
    "hostname": "qw.regsvcast.com",
    "port": 443,
    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiCKWZb6nlL/Txn7FIuXF2qwp+LPwdWfzGYeTRr60MZjb8lStsq3uIvGLnxa00RBdQ506raatorMOfAFz9MV7dqTStQ4JFgw/SlojfSk8riRVMuB6hJtBIBAFeJmD1UTbRzOj7FBJtFnesCzh0a3pVQ3U8U9rgVVLhQti6dMNFaQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
  },
  "host_header": "",
  "useragent_header": null,
  "http-get": {
    "uri": "/hr",
    "verb": "GET",
    "client": {
      "headers": null,
      "metadata": null
    },
    "server": {
      "output": [
        "print",
        "prepend 338 characters",
        "base64",
        "netbiosu"
      ]
    }
  },
  "http-post": {
    "uri": "/ch",
    "verb": "POST",
    "client": {
      "headers": null,
      "id": null,
      "output": null
    }
  },
  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
  "crypto_scheme": 0,
  "proxy": {
    "type": null,
    "username": null,
    "password": null,
    "behavior": "Use IE settings"
  },
  "http_post_chunk": 0,
  "uses_cookies": true,
  "post-ex": {
    "spawnto_x86": "%windir%\\syswow64\\runonce.exe",
    "spawnto_x64": "%windir%\\sysnative\\runonce.exe"
  },
  "process-inject": {
    "allocator": "VirtualAllocEx",
    "execute": [
      "CreateThread",
      "RtlCreateUserThread",
      "CreateRemoteThread"
    ],
    "min_alloc": 18046,
    "startrwx": false,
    "stub": "IiuPJ9vfuo3dVZ7son6mSA==",
    "transform-x86": [
      "prepend '\\x90\\x90\\x90\\x90\\x90'"
    ],
    "transform-x64": [
      "prepend '\\x90\\x90\\x90\\x90\\x90'"
    ],
    "userwx": false
  },
  "dns-beacon": {
    "dns_idle": null,
    "dns_sleep": null,
    "maxdns": null,
    "beacon": null,
    "get_A": null,
    "get_AAAA": null,
    "get_TXT": null,
    "put_metadata": null,
    "put_output": null
  },
  "pipename": null,
  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
  "stage": {
    "cleanup": true
  },
  "ssh": {
    "hostname": null,
    "port": null,
    "username": null,
    "password": null,
    "privatekey": null
  }
}

SytemBC

Another command and control channel utilized by the threat actor in this intrusion was SystemBC, a tool frequently favored by ransomware groups. One of its most commonly used features is its proxy functionality. This allowed the threat actor to leverage their own external computers and, through the SystemBC malware deployed on the file server, establish proxy connections to access the local network, facilitating further actions within the compromised environment.

The threat actor first brought in SystemBC as a file named SC.exe. This was executed manually by the threat actor after logging into the file server from DC X.

Security EventID 4624 showing RDP logon and Logon ID:

The threat actor manually started SystemBC with name SC.exe:

Notice that the original name is different and that the LogonID is the same as from the RDP login above.

Shortly after the threat actor brought another SystemBC file, with the name socks32.exe. That was moved to the file server from DC X.

socks32.exe moved over SMB C$ share:

Once again execution is done manually after logging in through RDP.

RDP logon:

Manual execution:

If the SystemBC sample is compiled without modifications, it should be feasible to extract the configuration from the implant by examining the exe file, as all information is presented in plain text.

Port and host configuration for SystemBC in the socks32.exe implant:

Impact

The threat actor’s primary objective in this case was financial gain through ransom. They introduced an executable named qwe.exe, which we later identified as BlackSuit ransomware.

This ransomware was strategically distributed across key endpoints within the infrastructure and executed, initiating the ransom demands.

Windows security eventID 5145 shows the distribution of the BlackSuit ransom executable via SMB C$ shares:

To avoid any errors during the final stage of their operation, the threat actor refrained from manually typing the command to execute the ransomware with the necessary command line arguments. Instead, to ensure accuracy and eliminate the risk of typos, they also moved a file named 123.txt along with qwe.exe, likely using it as a script or reference to guarantee the correct execution of the ransomware.

Windows security eventID 5145 shows distribution of 123.exe to the c:\users directory:

Movement of the 123.txt file seen from the network side. Including the content. The id is redacted.

After staging the ransomware executable qwe.exe and the helper file 123.txt, the threat actor used RDP from DC X to log onto various systems. Once logged in, they opened 123.txt in Notepad, copied the command from the file, and executed the ransomware. This method ensured the correct command line arguments were used, reducing the risk of mistakes during the final execution phase.

Sysmon eventID 1 showing notepad.exe opening 123.txt:

Sysmon eventID 1 showing execution of qwe.exe

Once the ransomware was executed a lot of ransom notes where created:

readme.blacksuit.txt looked like:

Timeline

 

Diamond Model

Indicators

Atomic

SystemBC C2
  137.220.61[.]94

Cobalt Strike C2
  svchorst[.]com        - 15.197.130[.]221
  as.regsvcast[.]com    - 147.78.47[.]178
  zx.regsvcast[.]com    - 147.78.47[.]178
  qw.regsvcast[.]com    - 147.78.47[.]178

Computed

RtWin64.exe	- Cobalt Strike Beacon
  md5:b5266cd35d1b3770b05  ad6870c0c4bde	
  sha1:2bb6c8b6461edc49e22f3d0c7dc45904b2ed8a2b
  sha256:55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1
  imphash:6015e6e85d0d93e60041fa68c6a89776

7f02ab2.exe	- Cobalt Strike Beacon	
  md5:3bf1142b3294c23852852053135ec0df	
  sha1:a3b617eb4248aba34c28c48886116ac97e55e932
  sha256:6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f  
  imphash:1b2b0fc8f126084d18c48b4f458c798b

7341ac3.exe	- Cobalt Strike Beacon
  md5:519dc779533b4ff0fc67727fecadba82	
  sha1:586ea19ea4776300962e20cfc9e7017a50888ecb
  sha256:a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953
  imphash:1b2b0fc8f126084d18c48b4f458c798b

61185c1.exe	- Cobalt Strike Beacon
  md5:820cfde780306e759bb434da509f7a91	
  sha1:4e38b98965a4d4756e6f4a8259df62cbca7de559
  sha256:e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d
  imphash:1b2b0fc8f126084d18c48b4f458c798b

b7bcee8.exe	- Cobalt Strike Beacon
  md5:b54240c98ca23202e58a1580135ad14c	
  sha1:cd55256904f1964b90b51089b46f1a933fec3e8e
  sha256:27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0
  imphash:bed5688a4a2b5ea6984115b458755e90

e225857.exe	- Cobalt Strike Beacon
  md5:3900ebc7766f3894fb1eb300460376ad	
  sha1:e63732fb38d2e823348529a264b4c4718e0c0b4a
  sha256:f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf
  imphash:bed5688a4a2b5ea6984115b458755e90

7341ac3.exe	- Cobalt Strike Beacon
  md5:519dc779533b4ff0fc67727fecadba82	
  sha1:586ea19ea4776300962e20cfc9e7017a50888ecb
  sha256:a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953
  imphash:1b2b0fc8f126084d18c48b4f458c798b

AdFind.exe	
  md5:9b02dd2a1a15e94922be3f85129083ac
  sha1:2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a
  sha256:b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
  imphash:4fbf3f084fbbb2470b80b2013134df35

SharpHound.exe
  md5:76a2363d509cc7174c4abee9a7d7ae68
  sha1:286588a50b9b128d07aa0f8851f2d7ee91dfa372
  sha256:3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2
  imphash:f34d5f2d4577ed6d9ceec516c1f5a744

socks32.exe
  md5:ed44877077716103973cbbebd531f38e
  sha1:ceb8c699a57193aa3be2a1766b03050cde3c738a
  sha256:9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
  imphash:d66000edfed0a9938162b2b453ffa516

qwe.exe
  md5:0bb61c0cff022e73b7c29dd6f1ccf0e2
  sha1:8dde03600a18a819b080a41effc24f42fa960a3e
  sha256:60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a
  imphash:ecc488e51fbb2e01a7aac2b35d5f10bd

Detections

Network

ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]
ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]
ET Threatview.io High Confidence Cobalt Strike C2 IP group 3
ET Threatview.io High Confidence Cobalt Strike C2 IP group 2
ET POLICY SMB Executable File Transfer
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY SMB2 NT Create AndX Request For a .bat File
ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory
ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement
ET POLICY PE EXE or DLL Windows file download HTTP

Sigma

Search rules on detection.fyi or sigmasearchengine.com

DFIR Public Rules Repo:

50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery

DFIR Private Rules:

03be05e6-4977-44cd-8ee4-a79400a5ceb0 : Detection of Cobalt Strike Execution
ded07dbe-bcd4-4d15-a27b-1669445d3215 : Enabling RDP service via reg.exe command execution
feee5785-1381-4119-95d0-ca0c3fffe2f2 : Potential Kerberoasting Attack Detected
f8fd3970-d558-40c8-86e2-a989cd53daea : RDP Session from Host with Default Hostname
194e0132-ddee-433c-ac98-3e544c5a2a3a : Suspicious Powershell Execution in Run Key

Sigma Repo:

903076ff-f442-475a-b667-4f246bcc203b : Nltest.EXE Execution
5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE
9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution
d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe
496a0e47-0a33-4dca-b009-9e6ca3591f39 : Suspicious Kerberos RC4 Ticket Encryption
8eef149c-bd26-49f2-9e5a-9b00e3af499b : Pass the Hash Activity 2
f376c8a7-a2d0-4ddc-aa0c-16c17236d962 : HackTool - Bloodhound/Sharphound Execution
02773bed-83bf-469f-b7ff-e676e7d78bab : BloodHound Collection Files
0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 : Mimikatz Detection LSASS Access
a18dd26b-6450-46de-8c91-9659150cf088 : Potentially Suspicious GrantedAccess Flags On LSASS
098d7118-55bc-4912-a836-dc6483a8d150 : Access To ADMIN$ Network Share
61a7697c-cb79-42a8-a2ff-5f0cdfae0130 : Potential CobaltStrike Service Installations - Registry
1d61f71d-59d2-479e-9562-4ff5f4ead16b : Suspicious Service Installation
4aafb0fa-bff5-4b9d-b99e-8093e659c65f : Writing Local Admin Share
ca2092a1-c273-4878-9b4b-0d60115bf5ea : Suspicious Encoded PowerShell Command Line
0ef56343-059e-4cb6-adc1-4c3c967c5e46 : Suspicious Execution of Systeminfo
bbb7e38c-0b41-4a11-b306-d2a457b7ac2b : Suspicious File Created In PerfLogs
3dfd06d2-eaf4-4532-9555-68aca59f57c4 : Process Execution From A Potentially Suspicious Folder
0d5675be-bc88-4172-86d3-1e96a4476536 : Potential Tampering With RDP Related Registry Keys Via Reg.EXE

Yara

File Scan Results:

DFIR Report:

https://github.com/The-DFIR-Report/Yara-Rules/compare/26364

https://github.com/search?q=repo%3AThe-DFIR-Report%2FYara-Rules+get-data&type=code

https://github.com/search?q=repo%3AThe-DFIR-Report%2FYara-Rules%20netscan&type=code

YARA Forge:

DITEKSHEN_MALWARE_Win_EXEPWSH_Dlagent
ELASTIC_Windows_Trojan_Cobaltstrike_1787Eef5
ELASTIC_Windows_Trojan_Cobaltstrike_7F8Da98A
EMBEERESEARCH_Win_Cobaltstrike_Pipe_Strings_Nov_2023
GCTI_Cobaltstrike_Resources_Artifact64_V3_14_To_V4_X

Memory Scan Results:

HKTL_CobaltStrike_SleepMask_Jul22
CobaltStrike_Sleep_Decoder_Indicator
Windows_Trojan_CobaltStrike_b54b94ac
HKTL_CobaltStrike_Beacon_4_2_Decrypt
CobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6
Windows_Trojan_CobaltStrike_663fc95d
Windows_Trojan_CobaltStrike_3dc22d14
HKTL_CobaltStrike_Beacon_Strings
HKTL_Win_CobaltStrike
SUSP_PS1_JAB_Pattern_Jun22_1
WiltedTulip_WindowsTask
CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x
Cobaltbaltstrike_Payload_Encoded
Msfpayloads_msf_ref
CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13
Windows_Shellcode_Generic_8c487e57
Cobaltbaltstrike_RAW_Payload_smb_stager_x86
Windows_Trojan_Metasploit_38b8ceec
CobaltStrike_Resources_Smbstager_Bin_v2_5_through_v4_x
Windows_Trojan_CobaltStrike_f0b627fc
CobaltStrike_Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6
CobaltStrike_C2_Encoded_XOR_Config_Indicator
SUSP_XORed_Mozilla
SUSP_PowerShell_IEX_Download_Combo
CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6
Windows_Trojan_Metasploit_7bc0f998
Windows_Trojan_Metasploit_c9773203

Rule authors:

[email protected]

Elastic Security

[email protected]

[email protected]

Florian Roth (Nextron Systems)

Avast Threat Intel Team

MITRE ATT&CK

Abuse Elevation Control Mechanism - T1548
Archive Collected Data - T1560
AS-REP Roasting - T1558.004
Data Encrypted for Impact - T1486
Domain Groups - T1069.002
Domain Trust Discovery - T1482
Inhibit System Recovery - T1490
Kerberoasting - T1558.003
LSASS Memory - T1003.001
Malicious File - T1204.002
Modify Registry - T1112
PowerShell - T1059.001
Process Injection - T1055
Proxy - T1090
Registry Run Keys / Startup Folder - T1547.001
Remote Desktop Protocol - T1021.001
Remote System Discovery - T1018
Security Software Discovery - T1518.001
Service Execution - T1569.002
SMB/Windows Admin Shares - T1021.002
Software Discovery - T1518
System Information Discovery - T1082
Web Protocols - T1071.001
Windows Command Shell - T1059.003
Pass the Hash - T1550.002

Internal case #TB29364 #PR31354