这是我们遇到过的入侵最快的勒索软件案例,攻击者从边界突破到部署域范围的勒索软件只用了大约4个小时。攻击者通过邮件钓鱼投递IcedID恶意软件成功突破了网络边界。以下是我们遇到过的其他勒索组织在边界突破阶段投递IcedID恶意软件的案例:
-
XingLocker – 24小时 从部署IcedID到XingLocker勒索
-
Conti – “照片被盗”钓鱼引发的Conti勒索软件和 Conti 勒索软件
-
REvil – Sodinokibi(又名 REvil)勒索软件
IcedID恶意软件被执行后约2小时,攻击者开始手动执行攻击活动。部署Cobalt Strike,使用RDP进行横向移动并使用WMI和PsExec部署Quantum勒索软件。整个入侵过程从入侵到部署勒索软件时间仅为3小时44分。
攻击者通过投递包含IcedID恶意软件的ISO镜像文件获取了一台用户终端的权限。我们怀疑ISO文件来自于钓鱼邮件,但是我们没有证据。ISO文件包含了一个DLL文件,并通过一个LNK快捷方式运行它。当用户双击ISO镜像文件后,只能看到一个名为ducument的快捷方式。双击快捷方式,便会执行DLL文件。
IcedID DLL文件被执行后,开始执行一连串地信息收集任务。例如执行Windows系统命令ipconfig、systeminfo、nltest、net、chcp。同时创建一个计划任务进行权限维持。
大约2小时后,攻击者利用傀儡进程和进程注入技术加载了Cobalt Strike载荷。攻击者开始手动攻击,使用名为ns.bat的批处理脚本调用AdFind扫描网络内的域控结构。之后,攻击者通过Cobalt Strike访问LSASS进程内存,窃取了用户的系统登录凭证。过了几分钟,开始尝试在一台服务器上远程执行WMI进行网络探测。直到窃取的凭证成功用于WMI后,攻击者通过RDP服务登录到服务器并尝试部署Cobalt Strike DLL载荷。但是执行失败了,于是攻击者打开cmd命令行并运行了PowerShell加载Cobalt Strike载荷,成功连接到了C2服务器。
接下来的一个小时,攻击者通过RDP又登录到了其他几台服务器。当攻击者接触到域控,便开始通过C$共享文件夹传递名为ttsel.exe的二进制勒索软件程序。并使用WMI和PsExec两种方式运行勒索软件。整个攻击活动不超过4小时。
尽管勒索组织声称盗取了数据,我们并没有发现数据泄漏的痕迹。但是不能排除攻击者通过IcedID或Cobalt Strike向外传输敏感文件的可能。
攻击者通过钓鱼邮件投递包含IcedID恶意软件的ISO镜像文件名为docs_invoice_173.iso,我们可以通过Microsoft-Windows-VHDMP-Operational.evtx日志中Eventi ID为12的事件确认用户挂载过虚拟磁盘的记录。
挂载ISO文件后,可以得到两个文件:
-
document.lnk
-
dar.dll (默认隐藏)
正常的用户打开之后看到的应该是这样的:
这个快捷方式document.lnk会执行IcedID DLL
document.lnk快捷方式指向的文件和启动命令如下:
C:WindowsSystem32rundll32.exe dar.dll,DllRegisterServer
通过LECmd.exe工具,我们可以得到LNK文件的更多信息,例如创建者的MAC地址和计算机名
通过Event ID 4663的日志,我们可以确定用户何时双击的ducument.lnk并触发了上述命令执行和进程创建。
在Sysmon日志中可以找到可执行文件的启动命令、文件路径等信息。
这个进程很快创建了许多子进程,用于进行权限维持和网络扫描。
包括创建C:WindowsSysWOW64cmd.exe用于傀儡进程和进程注入Cobalt Strike载荷。有许多标示攻击者的行为特征,如cmd.exe进程派生子进程rundll32.exe,rundll32.exe创建了名为postex_304a的命名管道。rundll32.exe和postex_[0-9a-f]{4}特征,是Cobalt Strike 4.2以上版本的默认特征。了解更多信息点击Cobalt Strike防护指南
通过分析进程内存,我们可以解析出Cobalt Strike的beacon配置信息。攻击者也在其他服务器上使用了PowerShell形式的Cobalt Strike载荷,如下:
载荷使用Cobalt Strike默认XOR 35编码,可以使用CyberChef解码:
使用scdbg可以分析出Windows API调用shellcode的执行信息:
攻击者尝试执行上传的p227.dll但是未知原因执行失败。随后使用PowerShell载荷执行成功。
在初始执行 IcedID 恶意软件后,它在 AppData 目录中创建恶意软件 (Ulfefi32.dll) 的副本,并创建一个每小时执行一次的计划任务。任务 kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A} 是使用以下执行操作创建的:
在一台失陷主机中我们观察到IcedID和Cobalt Strike使用了进程注入技术,注入的目标进程为winlogon
Cobalt Strike进程是通过Yara 扫描发现的
{"Pid": 7248,"ProcessName": "cmd.exe","CommandLine": "C:\Windows\SysWOW64\cmd.exe","Detection": ["win_cobalt_strike_auto","cobaltstrike_beacon_4_2_decrypt"]}{"Pid": 584,"ProcessName": "winlogon.exe","CommandLine": "winlogon.exe","Detection": ["win_cobalt_strike_auto","cobaltstrike_beacon_4_2_decrypt"]}{"Pid": 5712,"ProcessName": "powershell.exe","CommandLine": ""c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile","Detection": ["win_cobalt_strike_auto","cobaltstrike_beacon_4_2_decrypt"]}
使用Volatility工具可以发现winlogon进程的内存空间权限被修改成PAGE_EXECUTE_READWRITE,在进程内存空间中也发现了MZ 头部,符合进程注入的特征。
从进程日志中可以发现Cobalt Strike对外发起的网络连接行为。
我们发现攻击者使用两种方式转储LSASS进程内存,Windows 任务管理器和rundll32.exe(Cobalt Strike进程),如下图所示:
攻击者获取系统凭证并横向移动到AD域中。
在执行阶段IcedID恶意软件自动化执行如下命令进行信息收集:
-
cmd.exe /c chcp >&2
-
WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get * /Format:List
-
ipconfig /all
-
systeminfo
-
net config workstation
-
nltest /domain_trusts
-
nltest /domain_trusts /all_trusts
-
net view /all /domain
-
net view /all
-
net group "Domain Admins" /domain
攻击者投递如下文件到C:WindowsTemp目录并通过cmd执行脚本文件
-
7.exe (7zip)
-
adfind.exe (AdFind)
-
adfind.bat (如下图)
攻击者使用AD域控枚举工具AdFind收集域内用户、计算机和子网等信息。文件 ad.7z 是上述 AdFind 命令的结果输出。之后,创建了一个额外的批处理脚本,ns.bat,它用nslookup 枚举了域中的所有主机名,以识别主机的IP 地址。
在从跳板机进行第一次横向移动之前,攻击者使用 WMI 测试凭据并从目标远程服务器收集信息
C:Windowssystem32cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, captionRemote Desktop Protocol
攻击者使用 RDP 横向移动到关键主机。特别是使用管理员帐户的多台 RDP 机器。此入侵中的攻击者从名为 TERZITERZI 的工作站发起 RDP 连接。请参见下面的屏幕截图:
攻击者使用跳板机作为代理,证据是RDP连接从Cobalt Strike进程发起,
WMI
在整个入侵过程中,攻击者还使用 WMIC 执行横向活动,通过以 /node:IP 地址开头的 WMIC 命令远程执行命令,包括远程发现操作和远程启动勒索软件。
PsExec
PsExec 用于远程启动勒索软件。攻击者利用 PsExec 中的“-r”选项来定义在目标主机上创建的远程服务的自定义名称 (mstdc)(默认情况下为 PSEXESVC)。
IcedID
整个入侵过程中我们观潮到dar.dll外联的域名和IP如下
-
dilimoretast[.]com
-
138[.]68.42.130:443
Ja3: a0e9f5d64349fb13191bc781f81f42e1Ja3s: ec74a5c51106f0419184d0dd08fb05bcCertificate: [3e:f4:e9:d6:3e:47:e3:ce:51:2e:2a:91:e5:48:41:54:5e:53:54:e2 ]Not Before: 2022/03/22 09:34:53 UTCNot After: 2023/03/22 09:34:53 UTCIssuer Org: Internet Widgits Pty LtdSubject Common: localhostSubject Org: Internet Widgits Pty LtdPublic Algorithm: rsaEncryption
-
antnosience[.]com
-
157[.]245.142.66:443
JA3: a0e9f5d64349fb13191bc781f81f42e1Ja3s: ec74a5c51106f0419184d0dd08fb05bcCertificate: [0c:eb:c1:4b:0d:a1:b6:9d:7d:60:ed:c0:30:56:b7:48:10:d1:b1:6c ]Not Before: 2022/03/19 09:22:57 UTCNot After: 2023/03/19 09:22:57 UTCIssuer Org: Internet Widgits Pty LtdSubject Common: localhostSubject Org: Internet Widgits Pty LtdPublic Algorithm: rsaEncryption
-
oceriesfornot[.]top
-
188[.]166.154.118:80
Cobalt Strike
-
185.203.118[.]227
-
Watermark: 305419776
Ja3: 72a589da586844d7f0818ce684948eeaJa3s: f176ba63b4d68e576b5ba345bec2c7b7Certificate: [72:a1:ac:20:97:a0:cb:4f:b5:41:db:6e:32:fb:f5:7b:fd:43:9b:4b ]Not Before: 2022/03/21 22:16:04 UTCNot After: 2023/03/21 22:16:04 UTCIssuer Org: Google GMailSubject Common: gmail.comSubject Org: Google GMailPublic Algorithm: rsaEncryption
{"beacontype": ["HTTPS"],"sleeptime": 60000,"jitter": 15,"maxgetsize": 1049376,"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==","license_id": 305419776,"cfg_caution": false,"kill_date": "2022-04-22","server": {"hostname": "185.203.118.227","port": 443,"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="},"host_header": "","useragent_header": null,"http-get": {"uri": "/_/scs/mail-static/_/js/","verb": "GET","client": {"headers": null,"metadata": null},"server": {"output": ["print","append 375 characters","append 250 characters","prepend 4 characters","prepend 28 characters","prepend 36 characters","prepend 18 characters","prepend 4 characters","prepend 28 characters","prepend 36 characters","prepend 17 characters","prepend 4 characters"]}},"http-post": {"uri": "/mail/u/0/","verb": "POST","client": {"headers": null,"id": null,"output": null}},"tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","crypto_scheme": 0,"proxy": {"type": null,"username": null,"password": null,"behavior": "Use IE settings"},"http_post_chunk": 0,"uses_cookies": true,"post-ex": {"spawnto_x86": "%windir%\syswow64\rundll32.exe","spawnto_x64": "%windir%\sysnative\rundll32.exe"},"process-inject": {"allocator": "VirtualAllocEx","execute": ["CreateThread","SetThreadContext","CreateRemoteThread","RtlCreateUserThread"],"min_alloc": 0,"startrwx": true,"stub": "tUr+Aexqde3zXhpE+L05KQ==","transform-x86": null,"transform-x64": null,"userwx": true},"dns-beacon": {"dns_idle": null,"dns_sleep": null,"maxdns": null,"beacon": null,"get_A": null,"get_AAAA": null,"get_TXT": null,"put_metadata": null,"put_output": null},"pipename": null,"smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","stage": {"cleanup": false},"ssh": {"hostname": null,"port": null,"username": null,"password": null,"privatekey": null}}
尽管勒索组织声称盗取了数据,我们并没有发现数据泄漏的痕迹。但是不能排除攻击者通过IcedID或Cobalt Strike向外传输敏感文件的可能。
只用了不到四个小时,攻击者便达成了最终目的——成功部署域范围的勒索软件。攻击者从其中一台域控服务器使用PsExec和WMI在其他域内主机中远程运行勒索软件。
攻击者首先将勒索软件程序ttsel.exe上传到目标主机的C$共享下
C:Windowssystem32cmd.exe /K copy ttsel.exe \<IP>c$windowstemp攻击者利用 PsExec 中的“-r”选项来定义在目标主机上创建的远程服务的自定义名称(“mstdc”)(默认为 PSEXESVC)。
psexec.exe \<IP ADDRESS> -u <DOMAIN>Administrator -p "<PASSWORD>" -s -d -h -r mstdc -accepteula -nobanner c:windowstempttsel.exe这样在执行 PsExec 时目标主机上就创建了文件 C:Windowsmstdc.exe。
攻击者使用的备用方案是 WMI 调用,以在目标主机上启动远程进程。
wmic /node:"<IP ADDRESS>" /user:"<DOMAIN>Administrator" /password:"<PASSWORD>" process call create "cmd.exe /c c:windowstempttsel.exe"Quantum勒索软件开始加密域内所有主机上的文件,并生成勒索信 README_TO_DECRYPT.html
Quantum勒索软件提供了唯一标示作为在线聊天的密码
登录成功后的聊天窗口如下:
docs_invoice_173.iso
e051009b12b37c7ee16e810c135f1fef
415b27cd03d3d701a202924c26d25410ea0974d7
5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b
dar.dll
4a6ceabb2ce1b486398c254a5503b792
08a1c43bd1c63bbea864133d2923755aa2f74440
4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36
document.lnk
adf0907a6114c2b55349c08251efdf50
aa25ae2f9dbe514169f4526ef4a61c1feeb1386a
3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
adf.bat
ebf6f4683d8392add3ef32de1edf29c4
444c704afe4ee33d335bbdfae79b58aba077d10d
2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04
Ulfefi32.dll
49513b3b8809312d34bb09bd9ea3eb46
445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb
6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7
license.dat
e9ad8fae2dd8f9d12e709af20d9aefad
db7d1545c3c7e60235700af672c1d20175b380cd
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
ttsel.exe
b1eff4fffe66753e5f4265bc5332f72e
da2caf36b52d81a0d983407ab143bef8df119b8d
b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda
p227.dll
350f82de99b8696fea6e189fcd4ca454
deea45010006c8bde12a800d73475a5824ca2e6f
c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3
dilimoretast[.]com
antnosience[.]com
oceriesfornot[.]top
138[.]68.42.130:443
157[.]245.142.66:443
188[.]166.154.118:80
Cobalt Strike
C2/IP: 185.203.118[.]227:443
Watermark: 305419776
C2/IP: 185.203.118[.]227:443
Watermark: 305419776
ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)
ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory
ET MALWARE Win32/IcedID Request Cookie
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PsExec service created
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET POLICY SMB Executable File Transfer
https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/PSEXEC%20Custom%20Named%20Service%20Binary
https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup
https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
https://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml
https://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml
https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml
https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml
/*
YARA Rule Set
Author: The DFIR Report
Date: 2022-04-24
Identifier: Quantum Case 12647
Reference: https://thedfirreport.com
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule docs_invoice_173 {
meta:
description = "IcedID - file docs_invoice_173.iso"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"
strings:
$x1 = "dar.dll,DllRegisterServer!%SystemRoot%\System32\SHELL32.dll" fullword wide
$x2 = "C:\Windows\System32\rundll32.exe" fullword ascii
$s3 = "C:\Users\admin\Desktop\data" fullword wide
$s4 = "Desktop (C:\Users\admin)" fullword wide
$s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s6 = "1t3Eo8.dll" fullword ascii
$s7 = ")..\..\..\..\Windows\System32\rundll32.exe" fullword wide
$s8 = "DAR.DLL." fullword ascii
$s9 = "dar.dll:h" fullword wide
$s10 = "document.lnk" fullword wide
$s11 = "DOCUMENT.LNK" fullword ascii
$s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii
$s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii
$s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii
$s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii
$s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii
$s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii
$s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii
$s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii
$s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii
condition:
uint16(0) == 0x0000 and filesize < 600KB and
1 of ($x*) and 4 of them
}
rule quantum_license {
meta:
description = "IcedID - file license.dat"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238"
strings:
$s1 = "W* |[h" fullword ascii
$s2 = "PSHN,;x" fullword ascii
$s3 = "ephu"W" fullword ascii
$s4 = "LwUw9\" fullword ascii
$s5 = "VYZP~pN," fullword ascii
$s6 = "eRek?@" fullword ascii
$s7 = "urKuEqR" fullword ascii
$s8 = "1zjWa{`!" fullword ascii
$s9 = "YHAV{tl" fullword ascii
$s10 = "bwDU?u" fullword ascii
$s11 = "SJbW`!W" fullword ascii
$s12 = "BNnEx1k" fullword ascii
$s13 = "SEENI3=" fullword ascii
$s14 = "Bthw?:'H*" fullword ascii
$s15 = "NfGHNHC" fullword ascii
$s16 = "xUKlrl'>`" fullword ascii
$s17 = "gZaZ^;Ro2" fullword ascii
$s18 = "JhVo5Bb" fullword ascii
$s19 = "OPta)}$" fullword ascii
$s20 = "cZZJoVB" fullword ascii
condition:
uint16(0) == 0x44f8 and filesize < 1000KB and
8 of them
}
rule quantum_p227 {
meta:
description = "Cobalt Strike - file p227.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3"
strings:
$s1 = "Remote Event Log Manager4" fullword wide
$s2 = "IIdRemoteCMDServer" fullword ascii
$s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */
$s4 = "<*=.=2=6=<=\=" fullword ascii /* hex encoded string '&' */
$s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */
$s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */
$s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */
$s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */
$s9 = ":<:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:" fullword ascii
$s10 = "%IdThreadMgr" fullword ascii
$s11 = "AutoHotkeys<mC" fullword ascii
$s12 = "KeyPreview0tC" fullword ascii
$s13 = ":dmM:\m" fullword ascii
$s14 = "EFilerErrorH" fullword ascii
$s15 = "EVariantBadVarTypeErrorL" fullword ascii
$s16 = "IdThreadMgrDefault" fullword ascii
$s17 = "Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)" fullword wide
$s18 = "CopyMode0" fullword ascii
$s19 = "TGraphicsObject0" fullword ascii
$s20 = "THintWindow8" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "c88d91896dd5b7d9cb3f912b90e9d0ed" or 8 of them )
}
rule Ulfefi32 {
meta:
description = "IcedID - file Ulfefi32.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7"
strings:
$s1 = "WZSKd2NEBI.dll" fullword ascii
$s2 = "3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f6f0291e8cfbc4802085b8413c" ascii
$s3 = "794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8e1b1e0a6f2101ed3a87a73523" ascii
$s4 = "ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb1796adece94327ba0d8dfb63c10" ascii
$s5 = "bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf226c5d4faa7e78765fd5aa20f8" ascii
$s6 = "acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd0851bcef3bc5f828eab7e736d81" ascii
$s7 = "e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992da07fada70c018de1ff8f91d4" ascii
$s8 = "afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149fdbfbf40b2d06493379a27e16b" ascii
$s9 = "3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eed" ascii
$s10 = "a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212505b240e629e066ed853fb9f6b" ascii
$s11 = "69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab319f49bed09e43f9b6197bf9a66" ascii
$s12 = "cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae726d5b2" ascii
$s13 = "a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb4b1b12d96d6f38de96212392c3" ascii
$s14 = "900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e34d3b31f8151f194cdb8afc85e" ascii
$s15 = "35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9cb765a95ff42a7d8b27e62d470a" ascii
$s16 = "0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f6d70c03203272740463ff4bcd5" ascii
$s17 = "72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab8146dab20a033c28dee789de8046" ascii
$s18 = "f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d32981c343bd47b403951b165d2dc0f" ascii
$s19 = "9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5ba7f3baac0601ed13ffc4f0a1e" ascii
$s20 = "3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae" ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and
( pe.imphash() == "81782d8702e074c0174968b51590bf48" and ( pe.exports("FZKlWfNWN") and pe.exports("IMlNwug") and pe.exports("RPrWVBw") and pe.exports("kCXkdKtadW") and pe.exports("pLugSs") and pe.exports("pRNAU") ) or 8 of them )
}
rule quantum_ttsel {
meta:
description = "quantum - file ttsel.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda"
strings:
$s1 = "DSUVWj ]" fullword ascii
$s2 = "WWVh@]@" fullword ascii
$s3 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
$s4 = "E4PSSh" fullword ascii /* Goodware String - occured 2 times */
$s5 = "tySjD3" fullword ascii
$s6 = "@]_^[Y" fullword ascii /* Goodware String - occured 3 times */
$s7 = "0`0h0p0" fullword ascii /* Goodware String - occured 3 times */
$s8 = "tV9_<tQf9_8tKSSh" fullword ascii
$s9 = "Vj\Yj?Xj:f" fullword ascii
$s10 = "1-1:1I1T1Z1p1w1" fullword ascii
$s11 = "8-999E9U9k9" fullword ascii
$s12 = "8"8)8H8i8t8" fullword ascii
$s13 = "8"868@8M8W8" fullword ascii
$s14 = "3"3)3>3F3f3m3t3}3" fullword ascii
$s15 = "3"3(3<3]3o3" fullword ascii
$s16 = "9 9*909B9" fullword ascii
$s17 = "9.979S9]9a9w9" fullword ascii
$s18 = "txf9(tsf9)tnj\P" fullword ascii
$s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii
$s20 = "<2=7=>=E={=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them )
}
T1204 - User Execution
T1614.001 - System Location Discovery: System Language Discovery
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1055 - Process Injection
T1055.012 - Process Injection: Process Hollowing
T1003.001 - OS Credential Dumping: LSASS Memory
T1486 - Data Encrypted for Impact
T1482 - Domain Trust Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1083 - File and Directory Discovery
T1518.001 - Software Discovery: Security Software Discovery
T1047 - Windows Management Instrumentation
T1087.002 - Account Discovery: Domain Account
T1082 - System Information Discovery
T1018 - Remote System Discovery
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071.001 - Web Protocols
S0029 - PsExec
S0039 - Net
S0100 - ipconfig
S0359 - Nltest
S0483 - IcedID
S0552 - AdFind
S0154 - Cobalt Strike
原文始发于微信公众号(Desync InfoSec):【DFIR报告翻译】Quantum 勒索软件
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论