CINXE.COM

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Quantum Ransomware – The DFIR Report</title> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='preconnect' href='//c0.wp.com' /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Feed" href="https://thedfirreport.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Comments Feed" href="https://thedfirreport.com/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/thedfirreport.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <link rel='stylesheet' id='jetpack_related-posts-css' href='https://c0.wp.com/p/jetpack/14.3/modules/related-posts/related-posts.css' type='text/css' media='all' /> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://c0.wp.com/c/6.7.2/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css' type='text/css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='freenews-style-css' href='https://thedfirreport.com/wp-content/themes/freenews/style.css?ver=6.7.2' type='text/css' media='all' /> <style id='freenews-style-inline-css' type='text/css'> .tags-links, .byline, .comments-link { clip: rect(1px, 1px, 1px, 1px); height: 1px; position: absolute; overflow: hidden; width: 1px; } </style> <link rel='stylesheet' id='font-awesome-css' href='https://thedfirreport.com/wp-content/themes/freenews/assets/library/fontawesome/css/all.min.css?ver=6.7.2' type='text/css' media='all' /> <link rel='stylesheet' id='freenews-google-fonts-css' href='https://thedfirreport.com/wp-content/fonts/d92fef3d9e5de6f7993b11046e265436.css' type='text/css' media='all' /> <style id='akismet-widget-style-inline-css' type='text/css'> .a-stats { --akismet-color-mid-green: #357b49; --akismet-color-white: #fff; --akismet-color-light-grey: #f6f7f7; max-width: 350px; width: auto; } .a-stats * { all: unset; box-sizing: border-box; } .a-stats strong { font-weight: 600; } .a-stats a.a-stats__link, .a-stats a.a-stats__link:visited, .a-stats a.a-stats__link:active { background: var(--akismet-color-mid-green); border: none; box-shadow: none; border-radius: 8px; color: var(--akismet-color-white); cursor: pointer; display: block; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen-Sans', 'Ubuntu', 'Cantarell', 'Helvetica Neue', sans-serif; font-weight: 500; padding: 12px; text-align: center; text-decoration: none; transition: all 0.2s ease; } /* Extra specificity to deal with TwentyTwentyOne focus style */ .widget .a-stats a.a-stats__link:focus { background: var(--akismet-color-mid-green); color: var(--akismet-color-white); text-decoration: none; } .a-stats a.a-stats__link:hover { filter: brightness(110%); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.06), 0 0 2px rgba(0, 0, 0, 0.16); } .a-stats .count { color: var(--akismet-color-white); display: block; font-size: 1.5em; line-height: 1.4; padding: 0 13px; white-space: nowrap; } </style> <link rel='stylesheet' id='sharedaddy-css' href='https://c0.wp.com/p/jetpack/14.3/modules/sharedaddy/sharing.css' type='text/css' media='all' /> <link rel='stylesheet' id='social-logos-css' href='https://c0.wp.com/p/jetpack/14.3/_inc/social-logos/social-logos.min.css' type='text/css' media='all' /> <script type="text/javascript" id="jetpack_related-posts-js-extra"> /* <![CDATA[ */ var related_posts_js_options = {"post_heading":"h4"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/related-posts/related-posts.min.js" id="jetpack_related-posts-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/global.js?ver=1" id="freenews-global-js"></script> <link rel="https://api.w.org/" href="https://thedfirreport.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://thedfirreport.com/wp-json/wp/v2/posts/6455" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://thedfirreport.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.2" /> <link rel="canonical" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" /> <link rel='shortlink' href='https://thedfirreport.com/?p=6455' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2022%2F04%2F25%2Fquantum-ransomware%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2022%2F04%2F25%2Fquantum-ransomware%2F&format=xml" />  <script async src="https://www.googletagmanager.com/gtag/js?id=UA-162747485-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-162747485-1'); </script> <script type="text/javascript"> (function(url){ if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; } var addEvent = function(evt, handler) { if (window.addEventListener) { document.addEventListener(evt, handler, false); } else if (window.attachEvent) { document.attachEvent('on' + evt, handler); } }; var removeEvent = function(evt, handler) { if (window.removeEventListener) { document.removeEventListener(evt, handler, false); } else if (window.detachEvent) { document.detachEvent('on' + evt, handler); } }; var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' '); var logHuman = function() { if (window.wfLogHumanRan) { return; } window.wfLogHumanRan = true; var wfscr = document.createElement('script'); wfscr.type = 'text/javascript'; wfscr.async = true; wfscr.src = url + '&r=' + Math.random(); (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr); for (var i = 0; i < evts.length; i++) { removeEvent(evts[i], logHuman); } }; for (var i = 0; i < evts.length; i++) { addEvent(evts[i], logHuman); } })('//thedfirreport.com/?wordfence_lh=1&hid=FE23659AE4BFA5317BBB8E6265EAB2C7'); </script> <style>img#wpstats{display:none}</style> <style type="text/css" id="custom-background-css"> body.custom-background { background-color: #f8f8f8; } </style>  <meta property="og:type" content="article" /> <meta property="og:title" content="Quantum Ransomware" /> <meta property="og:url" content="https://thedfirreport.com/2022/04/25/quantum-ransomware/" /> <meta property="og:description" content="In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an Ic…" /> <meta property="article:published_time" content="2022-04-25T01:16:30+00:00" /> <meta property="article:modified_time" content="2024-11-08T12:33:54+00:00" /> <meta property="og:site_name" content="The DFIR Report" /> <meta property="og:image" content="https://thedfirreport.com/wp-content/uploads/2022/04/12647-09.png" /> <meta property="og:image:width" content="1559" /> <meta property="og:image:height" content="1594" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" /> <meta name="twitter:text:title" content="Quantum Ransomware" /> <meta name="twitter:image" content="https://thedfirreport.com/wp-content/uploads/2022/04/12647-09.png?w=640" /> <meta name="twitter:card" content="summary_large_image" />  <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-32x32.png" sizes="32x32" /> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-180x180.png" /> <meta name="msapplication-TileImage" content="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-270x270.png" /> </head> <body class="post-template-default single single-post postid-6455 single-format-standard custom-background has-sidebar tags-hidden author-hidden comment-hidden"> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="masthead" class="site-header"> <div id="main-header" class="main-header"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav class="main-navigation" aria-label="Primary Menu" role="navigation"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li id="menu-item-21337" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li id="menu-item-21314" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li id="menu-item-21315" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li id="menu-item-21319" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21318" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31055" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35456" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32606" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38108" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21320" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li id="menu-item-21317" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21325" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21326" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li id="menu-item-31033" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li id="menu-item-21313" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li id="menu-item-21316" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav> </div> </div> </div> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li id="menu-item-21323" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21322" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31037" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35457" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32608" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38110" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21321" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21327" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21328" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li id="menu-item-21324" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div> </nav> <div class="main-header-brand"> <div class="header-brand"> <div class="wrap"> <div class="header-brand-content"> <div class="site-branding"> <div class="site-branding-text"> <p class="site-title"><a href="https://thedfirreport.com/" rel="home">The DFIR Report</a></p> <p class="site-description">Real Intrusions by Real Attackers, The Truth Behind the Intrusion</p> </div> </div> <div class="header-right"> <div class="header-banner"> </div> </div> </div> </div> </div> <div id="nav-sticker"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav id="site-navigation" class="main-navigation" aria-label="Primary Menu"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav> </div> </div> </div> <div class="clock"> <div id="time"></div> <div id="date">Wednesday, February 26, 2025</div> </div> </div> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div> </nav> </div> </div> </header> <div id="content" class="site-content"> <div class="site-content-cell"> <div class="wrap wrap-width"> <div id="primary" class="content-area"> <main id="main" class="site-main"> <article id="post-6455" class="post-6455 post type-post status-publish format-standard hentry category-adfind category-cobaltstrike category-icedid category-psexec category-quantum category-ransomware entry"> <div class="entry-content-holder"> <header class="entry-header"> <div class="entry-meta"> <span class="cat-links"> <a class="category-color-24" href="https://thedfirreport.com/category/adfind/">adfind</a> <a class="category-color-6" href="https://thedfirreport.com/category/cobaltstrike/">cobaltstrike</a> <a class="category-color-67" href="https://thedfirreport.com/category/icedid/">icedid</a> <a class="category-color-23" href="https://thedfirreport.com/category/psexec/">psexec</a> <a class="category-color-93" href="https://thedfirreport.com/category/quantum/">quantum</a> <a class="category-color-2" href="https://thedfirreport.com/category/ransomware/">ransomware</a> </span> </div> <h1 class="entry-title">Quantum Ransomware</h1> <div class="entry-meta"> <span class="posted-on"><a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" rel="bookmark"><time class="entry-date published" datetime="2022-04-25T01:16:30+00:00">April 25, 2022</time></a></span> </div> </header> <div class="entry-content"> <p>In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for this case was an IcedID payload delivered via email. We have observed IcedID malware being utilized as the initial access by various ransomware groups. Examples from some of our previous cases include:</p> <ul class="wp-block-list"> <li>XingLocker – <a href="https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/" target="_blank" rel="noreferrer noopener">IcedID to XingLocker Ransomware in 24 hours</a></li> <li>Conti – <a href="https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" target="_blank" rel="noreferrer noopener">Stolen Images Campaign Ends in Conti Ransomware</a> and <a href="https://thedfirreport.com/2021/05/12/conti-ransomware/" target="_blank" rel="noreferrer noopener">Conti Ransomware</a></li> <li>REvil – <a href="https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" target="_blank" rel="noreferrer noopener">Sodinokibi (aka REvil) Ransomware</a></li> </ul> <p>Once the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to begin hands-on-keyboard activity. Cobalt Strike and RDP were used to move across the network before using WMI and PsExec to deploy the Quantum ransomware. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes.</p> <h2 id="services" class="wp-block-heading"><a href="https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#services">The DFIR Report Services</a></h2> <ul class="wp-block-list"> <li><a href="https://thedfirreport.com/services/threat-intelligence/#threat-brief" target="_blank" rel="noreferrer noopener">Private Threat Briefs</a>: Over 20 private DFIR reports annually.</li> <li><a href="https://thedfirreport.com/services/threat-intelligence/#threat-feed" target="_blank" rel="noreferrer noopener">Threat Feed</a>: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.</li> <li><a href="https://thedfirreport.com/services/threat-intelligence/#all-intel" target="_blank" rel="noreferrer noopener">All Intel</a>: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.</li> <li><a href="https://thedfirreport.com/services/detection-rules/" target="_blank" rel="noreferrer noopener">Private Sigma Ruleset</a>: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples.</li> <li><a href="https://thedfirreport.com/services/dfir-labs/" target="_blank" rel="noreferrer noopener">DFIR Labs</a>: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.</li> </ul> <p><a href="https://thedfirreport.com/contact/" target="_blank" rel="noreferrer noopener">Contact us</a> today for pricing or a demo!</p> <h2 class="wp-block-heading">Case Summary</h2> <p>The threat actor was able to enter the network when a user endpoint was compromised by an IcedID payload contained within an ISO image. We have high confidence this payload was delivered via email, however we were not able to identify the delivery email.</p> <p>The ISO contained a DLL file (IcedID malware) and a LNK shortcut to execute it. The end user after clicking into the ISO file, could see just a single file named “document”, which is a LNK shortcut to a hidden DLL packaged in the ISO. When the user clicks on the LNK file, the IcedID DLL is executed.</p> <p>Upon this execution of the IcedID DLL, a battery of discovery tasks were executed using built-in Windows utilities like ipconfig, systeminfo, nltest, net, and chcp. The IcedID malware also created a scheduled task as a means of persistence on the beachhead host.</p> <p>Around two hours later, Cobalt Strike was deployed using process hollowing and injection techniques. This marked the start of “hands-on-keyboard” activity by the threat actors. This activity included using AdFind through a batch script called <code>adfind.bat</code> to perform discovery of the target organizations active directory structure. The threat actors gathered host based network information by running a batch script named <code>ns.bat</code>, which ran nslookup for each host in the environment.</p> <p>The Cobalt Strike process then proceeded to access LSASS memory to extract credentials, which a few minutes later were tested to run remote WMI discovery tasks on a server. After confirming their credentials worked with the WMI actions, the threat actor proceeded to RDP into that server, and attempted to drop and execute a Cobalt Strike DLL beacon on that server<span style="color: #000000;">. This appeared to fail so the threat actor then opened cmd and proceeded to execute a PowerShell Cobalt Strike Beacon. This Beacon was successful in connecting to the same command and control server observed on the beachhead host.</span></p> <p>For the next hour, the threat actor proceeded to make RDP connections to other servers in the environment. Once the threat actor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named <code>ttsel.exe</code>) to each host through the <code>C$</code> share folder. They used two methods of remote execution to detonate the ransomware binary, WMI and PsExec. This ransomware deployment concluded less than four hours from the initial IcedID execution.</p> <p>While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data.</p> <h2 class="wp-block-heading">Timeline</h2> <p><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-6574" src="https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware.png" alt="" width="1531" height="2703" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware.png 1531w, https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware-170x300.png 170w, https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware-580x1024.png 580w, https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware-768x1356.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware-870x1536.png 870w, https://thedfirreport.com/wp-content/uploads/2022/04/Quantum-Ransomware-1160x2048.png 1160w" sizes="(max-width: 1531px) 100vw, 1531px" /></p> <p>Report Lead: <a href="https://twitter.com/svch0st" target="_blank" rel="noreferrer noopener">@svch0st</a> <br />Contributing Analysts: <a href="https://twitter.com/0xtornado" target="_blank" rel="noreferrer noopener">@0xtornado</a>, <a href="https://twitter.com/samaritan_o" target="_blank" rel="noreferrer noopener">@samaritan_o</a></p> <h2 class="wp-block-heading">Initial Access</h2> <p>The threat actor gained initial access through the common malware, IcedID. The payload was delivered within an ISO file, <code>docs_invoice_173.iso</code><em>,</em> via email, where a user opened and executed the malware. Shout out to <a href="https://twitter.com/k3dg3" target="_blank" rel="noopener">@k3dg3</a> for making these ISOs available. We were able to determine the user mounted the ISO using the Event ID <code>12</code> in Microsoft-Windows-VHDMP-Operational.evtx as shown below:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-02.png"><img decoding="async" class="aligncenter size-full wp-image-6460" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-02.png" alt="" width="1371" height="822" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-02.png 1371w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-02-300x180.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-02-1024x614.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-02-768x460.png 768w" sizes="(max-width: 1371px) 100vw, 1371px" /></a></figure> <p>When mounted, the ISO contained two files:</p> <ul class="wp-block-list"> <li><code>document.lnk</code></li> <li><code>dar.dll </code>(hidden attribute enabled)</li> </ul> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-03.png"><img decoding="async" class="aligncenter size-full wp-image-6461" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-03.png" alt="" width="735" height="183" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-03.png 735w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-03-300x75.png 300w" sizes="(max-width: 735px) 100vw, 735px" /></a></figure> <p>Typical end user perspective after opening the ISO file:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-04.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6462" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-04.png" alt="" width="772" height="391" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-04.png 772w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-04-300x152.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-04-768x389.png 768w" sizes="auto, (max-width: 772px) 100vw, 772px" /></a></figure> <p>The file <code>document.lnk</code> is a shortcut or lnk file and <code>dar.dll</code> was the IcedID payload. </p> <h2 class="wp-block-heading">Execution</h2> <p> A quick look at <code>document.lnk</code>‘s properties highlight the command line that is executed on launch:</p> <pre class="wp-block-preformatted">C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer</pre> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-05.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6463" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-05.png" alt="" width="538" height="316" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-05.png 538w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-05-300x176.png 300w" sizes="auto, (max-width: 538px) 100vw, 538px" /></a></figure> <p>But we can do a lot better than that with a .lnk file! These .lnk files provide a wealth of knowledge to investigators. For example, below is a partial output of the tool <code>LECmd.exe</code> (by <a href="https://twitter.com/ericrzimmerman" target="_blank" rel="noopener">Eric Zimmerman</a>). When used on the file <code>document.lnk</code>, it parses out metadata such as when the shortcut file was made, what hostname and the MAC Address of the device it was created on and even the directory path of the user that created it!</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-06.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6464" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-06.png" alt="" width="1600" height="503" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-06.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-06-300x94.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-06-1024x322.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-06-768x241.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-06-1536x483.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p>We were able to determine when the user clicked on the lnk file and when a new process was created with the command line mentioned above. Furthermore, the Event ID <code>4663</code> in Security.evtx highlighted when <code>explorer.exe</code> accessed <code>document.lnk</code>:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-07.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6465" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-07.png" alt="" width="1370" height="1113" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-07.png 1370w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-07-300x244.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-07-1024x832.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-07-768x624.png 768w" sizes="auto, (max-width: 1370px) 100vw, 1370px" /></a></figure> <p>Additionally, the context of execution location and parent process can also be used to follow the user execution process.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-08.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6466" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-08.png" alt="" width="663" height="417" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-08.png 663w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-08-300x189.png 300w" sizes="auto, (max-width: 663px) 100vw, 663px" /></a></figure> <p>Shortly after execution of the payload, several child processes were spawned that created persistence and began discovery on the host.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-09.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6467" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-09.png" alt="" width="1559" height="1594" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-09.png 1559w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-09-293x300.png 293w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-09-1002x1024.png 1002w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-09-768x785.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-09-1502x1536.png 1502w" sizes="auto, (max-width: 1559px) 100vw, 1559px" /></a></figure> <p>This included an instance of <code>C:\Windows\SysWOW64\cmd.exe</code>, which the IcedID malware used to hollow out and then inject a Cobalt Strike beacon into. There were several additional indications of Cobalt Strike we observed to verify it was utilized by the threat actor. The <code>cmd.exe</code> process spawned a suspicious instance of <code>rundll32.exe</code>. There were no command line arguments for this process which is atypical for <code>rundll32.exe.</code> A further indication was the <code>rundll32.exe</code> process creating a named pipe, <code>postex_304a.</code>This behavior of <code>rundll32.exe</code> and a named pipe that matches <code>postex_[0-9a-f]{4}</code>, is the default behavior used by Cobalt Strike 4.2+ post exploitation jobs. For more information on Cobalt Strike, you can read our article <a href="https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/#:~:text=Cobalt%20Strike%20in%20Action" target="_blank" rel="noreferrer noopener">Cobalt Strike, a Defender’s Guide</a>.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-10.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6468" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-10.png" alt="" width="1376" height="104" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-10.png 1376w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-10-300x23.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-10-1024x77.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-10-768x58.png 768w" sizes="auto, (max-width: 1376px) 100vw, 1376px" /></a></figure> <p>When we reviewed the memory of this process, we were able to confirm it was in fact Cobalt Strike when we successfully extracted the beacon configuration (additional details can be found in the <strong>Command and Control</strong> section). The threat actor also executed a PowerShell Cobalt Strike payload on some servers:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-11.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6469" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-11.png" alt="" width="1600" height="459" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-11.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-11-300x86.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-11-1024x294.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-11-768x220.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-11-1536x441.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p>This payload is using the default Cobalt Strike obfuscation scheme (XOR 35), <span style="color: #000000;">and can easily be decoded using</span> <a href="https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97ab" target="_blank" rel="noreferrer noopener">CyberChef</a>:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-12.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6470" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-12.png" alt="" width="1390" height="1200" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-12.png 1390w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-12-300x259.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-12-1024x884.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-12-768x663.png 768w" sizes="auto, (max-width: 1390px) 100vw, 1390px" /></a></figure> <p>The output can be analyzed using scdbg to highlight what Windows API calls the shellcode makes:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-13.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6471" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-13.png" alt="" width="1386" height="520" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-13.png 1386w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-13-300x113.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-13-1024x384.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-13-768x288.png 768w" sizes="auto, (max-width: 1386px) 100vw, 1386px" /></a></figure> <p>Prior to using the PowerShell beacon the threat actor dropped a DLL beacon on the server (p227.dll), but this appears to have failed for unknown reasons after which, the threat actor moved on to the PowerShell beacon which executed successfully.</p> <h2 class="wp-block-heading">Persistence</h2> <p>After the initial execution of the IcedID malware, it established persistence by creating a copy of the malware (Ulfefi32.dll) in the AppData directory of the affected user and created a scheduled task to execute it every hour. The task <code>\kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A}</code> was created with the execution action below:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-14.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6472" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-14.png" alt="" width="1036" height="173" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-14.png 1036w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-14-300x50.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-14-1024x171.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-14-768x128.png 768w" sizes="auto, (max-width: 1036px) 100vw, 1036px" /></a></figure> <p> </p> <h2 class="wp-block-heading">Defense Evasion</h2> <p>Process injection was observed during the intrusion by both IcedID and Cobalt Strike. On one system, the threat actor injected into the winlogon process.</p> <p>Cobalt Strike Processes Identified by in Memory <a href="https://malpedia.caad.fkie.fraunhofer.de/yara/win.cobalt_strike" target="_blank" rel="noreferrer noopener">Yara Scanning</a>.</p> <pre class="wp-block-preformatted">{ "Pid": 7248, "ProcessName": "cmd.exe", "CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe", "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] } { "Pid": 584, "ProcessName": "winlogon.exe", "CommandLine": "winlogon.exe", "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] } { "Pid": 5712, "ProcessName": "powershell.exe", "CommandLine": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile", "Detection": [ "win_cobalt_strike_auto", "cobaltstrike_beacon_4_2_decrypt" ] }</pre> <p>Volatility Malfind output shows the embedded MZ header in the winlogon process with the setting <code>PAGE_EXECUTE_READWRITE</code> protection settings on the memory space, a commonly observed attribute of process injection.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-15.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6473" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-15.png" alt="" width="1029" height="1194" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-15.png 1029w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-15-259x300.png 259w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-15-882x1024.png 882w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-15-768x891.png 768w" sizes="auto, (max-width: 1029px) 100vw, 1029px" /></a></figure> <p>Network connections to the Cobalt Strike server by winlogon were also observed in the process logs.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-16.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6474" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-16.png" alt="" width="1069" height="101" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-16.png 1069w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-16-300x28.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-16-1024x97.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-16-768x73.png 768w" sizes="auto, (max-width: 1069px) 100vw, 1069px" /></a></figure> <h2 class="wp-block-heading">Credential Access</h2> <p><strong>LSASS Access</strong></p> <p>Suspicious accesses to LSASS process memory were observed during this intrusion. As illustrated below, those accesses have been made using both <a href="https://car.mitre.org/analytics/CAR-2019-08-001/" target="_blank" rel="noreferrer noopener">Windows Task Manager</a> and <strong><em>rundll32.exe</em></strong> which is assessed to be a Cobalt Strike temporary beacon (as shown in the Execution graph):</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-17.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6475" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-17.png" alt="" width="1600" height="185" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-17.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-17-300x35.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-17-1024x118.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-17-768x89.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-17-1536x178.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p>The threat actors managed to steal administrator account credentials, allowing them to move laterally across the Active Directory domain.</p> <h2 class="wp-block-heading">Discovery</h2> <p>As mentioned in the Execution section, the IcedID process ran several initial discovery commands that provided environmental information about the host, network, and domain, to the threat actor. Given the timing of these commands were immediately after the execution of IcedID, we believe these commands were executed automatically upon check-in.</p> <ul class="wp-block-list"> <li><code>cmd.exe /c chcp >&2</code></li> <li><code>WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List</code></li> <li><code>ipconfig /all</code></li> <li><code>systeminfo</code></li> <li><code>net config workstation</code></li> <li><code>nltest /domain_trusts</code></li> <li><code>nltest /domain_trusts /all_trusts</code></li> <li><code>net view /all /domain</code></li> <li><code>net view /all</code></li> <li><code>net group "Domain Admins" /domain</code></li> </ul> <p>A <code>cmd.exe</code> process spawned from IcedID which ran additional discovery queries. The threat actor dropped the following files in C:\Windows\Temp directory:</p> <ul class="wp-block-list"> <li>7.exe (7zip)</li> <li>adfind.exe (<a href="https://www.joeware.net/freetools/tools/adfind/index.htm" target="_blank" rel="noreferrer noopener">AdFind</a>)</li> <li>adfind.bat (pictured below)</li> </ul> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-18.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6476" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-18.png" alt="" width="761" height="185" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-18.png 761w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-18-300x73.png 300w" sizes="auto, (max-width: 761px) 100vw, 761px" /></a></figure> <p>The actor used the Active Directory enumeration tool <code>AdFind</code> to collect information such as the users, computers and subnets in the domain.</p> <p>The file <code>ad.7z</code>, was the resulting output of the AdFind commands above. After that, an additional batch script was created, <code>ns.bat</code>, which enumerated all host names in the domain with <code>nslookup</code> to identify the IP address of the host.</p> <h2 class="wp-block-heading"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-19.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6477" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-19.png" alt="" width="1757" height="1878" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-19.png 1757w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-19-281x300.png 281w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-19-958x1024.png 958w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-19-768x821.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-19-1437x1536.png 1437w" sizes="auto, (max-width: 1757px) 100vw, 1757px" /></a></h2> <p>Prior to the first lateral movement from the beachhead host, the threat actor tested credentials and gathered information from their targeted remote server using WMI</p> <pre class="wp-block-preformatted">C:\Windows\system32\cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, caption</pre> <h2 class="wp-block-heading">Lateral Movement</h2> <p><strong>Remote Desktop Protocol</strong></p> <p>The threat actor used RDP to move laterally to critical hosts. In particular, we have evidence on multiple machines of RDP using the Administrator account.</p> <p>The attacker in this intrusion initiated RDP connections from a workstation, named TERZITERZI. See the screenshot below:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-20.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6478" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-20.png" alt="" width="1600" height="178" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-20.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-20-300x33.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-20-1024x114.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-20-768x85.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-20-1536x171.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p>The RDP connections were established from the Cobalt Strike process running the beacon indicating the threat actor utilizing proxy on the beachhead host to facilitate the RDP traffic.:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-21.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6479" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-21.png" alt="" width="1182" height="282" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-21.png 1182w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-21-300x72.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-21-1024x244.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-21-768x183.png 768w" sizes="auto, (max-width: 1182px) 100vw, 1182px" /></a></figure> <p><strong>PsExec</strong></p> <p>PsExec was used to facilitate the ransomware execution. The threat actor utilized the “-r” option in PsExec to define a custom name (<code>mstdc</code>) of the remote service created on the target host (by default it’s PSEXESVC).</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-22.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6480" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-22.png" alt="" width="1600" height="471" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-22.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-22-300x88.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-22-1024x301.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-22-768x226.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-22-1536x452.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p><strong>WMI</strong></p> <p>Through-out the intrusion the threat actor was also observed using WMIC to perform lateral activities including discovery actions remotely, and as a second option, to ensure all the remote hosts successfully executed the final ransomware payload. The WMIC commands prefaced with <code>/node:IP Address</code> allowed the threat actor to run commands on remote hosts.</p> <h2 class="wp-block-heading">Command and Control</h2> <p><strong>IcedID</strong></p> <p>As we saw from the execution section, <code>dar.dll</code> was used to contact the below domains:</p> <ul class="wp-block-list"> <li><code>dilimoretast[.]com</code></li> <li><code>138[.]68.42.130:443</code></li> </ul> <pre class="wp-block-preformatted">Ja3: a0e9f5d64349fb13191bc781f81f42e1 Ja3s: ec74a5c51106f0419184d0dd08fb05bc Certificate: [3e:f4:e9:d6:3e:47:e3:ce:51:2e:2a:91:e5:48:41:54:5e:53:54:e2 ] Not Before: 2022/03/22 09:34:53 UTC Not After: 2023/03/22 09:34:53 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption</pre> <ul class="wp-block-list"> <li><code>antnosience[.]com</code></li> <li><code>157[.]245.142.66:443</code></li> </ul> <pre class="wp-block-preformatted">JA3: a0e9f5d64349fb13191bc781f81f42e1 Ja3s: ec74a5c51106f0419184d0dd08fb05bc Certificate: [0c:eb:c1:4b:0d:a1:b6:9d:7d:60:ed:c0:30:56:b7:48:10:d1:b1:6c ] Not Before: 2022/03/19 09:22:57 UTC Not After: 2023/03/19 09:22:57 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption</pre> <ul class="wp-block-list"> <li><code>oceriesfornot[.]top</code></li> <li><code>188[.]166.154.118:80</code></li> </ul> <p><strong>Cobalt Strike</strong></p> <ul class="wp-block-list"> <li><code>185.203.118[.]227</code></li> <li>Watermark: <code>305419776</code></li> </ul> <pre class="wp-block-preformatted">Ja3: 72a589da586844d7f0818ce684948eea Ja3s: f176ba63b4d68e576b5ba345bec2c7b7 Certificate: [72:a1:ac:20:97:a0:cb:4f:b5:41:db:6e:32:fb:f5:7b:fd:43:9b:4b ] Not Before: 2022/03/21 22:16:04 UTC Not After: 2023/03/21 22:16:04 UTC Issuer Org: Google GMail Subject Common: gmail.com Subject Org: Google GMail Public Algorithm: rsaEncryption</pre> <pre class="wp-block-preformatted">{ "beacontype": [ "HTTPS" ], "sleeptime": 60000, "jitter": 15, "maxgetsize": 1049376, "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==", "license_id": 305419776, "cfg_caution": false, "kill_date": "2022-04-22", "server": { "hostname": "185.203.118.227", "port": 443, "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" }, "host_header": "", "useragent_header": null, "http-get": { "uri": "/_/scs/mail-static/_/js/", "verb": "GET", "client": { "headers": null, "metadata": null }, "server": { "output": [ "print", "append 375 characters", "append 250 characters", "prepend 4 characters", "prepend 28 characters", "prepend 36 characters", "prepend 18 characters", "prepend 4 characters", "prepend 28 characters", "prepend 36 characters", "prepend 17 characters", "prepend 4 characters" ] } }, "http-post": { "uri": "/mail/u/0/", "verb": "POST", "client": { "headers": null, "id": null, "output": null } }, "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "crypto_scheme": 0, "proxy": { "type": null, "username": null, "password": null, "behavior": "Use IE settings" }, "http_post_chunk": 0, "uses_cookies": true, "post-ex": { "spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "spawnto_x64": "%windir%\\sysnative\\rundll32.exe" }, "process-inject": { "allocator": "VirtualAllocEx", "execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "min_alloc": 0, "startrwx": true, "stub": "tUr+Aexqde3zXhpE+L05KQ==", "transform-x86": null, "transform-x64": null, "userwx": true }, "dns-beacon": { "dns_idle": null, "dns_sleep": null, "maxdns": null, "beacon": null, "get_A": null, "get_AAAA": null, "get_TXT": null, "put_metadata": null, "put_output": null }, "pipename": null, "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "stage": { "cleanup": false }, "ssh": { "hostname": null, "port": null, "username": null, "password": null, "privatekey": null } }</pre> <h2 class="wp-block-heading">Exfiltration</h2> <p>While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data.</p> <h2 class="wp-block-heading">Impact</h2> <p>Just shy of four hours into the intrusion, the threat actors began acting on their final objectives, domain wide ransomware deployment. With their pivot point from one of the domain controllers, the actor used a combination of both PsExec and WMI to remotely execute the ransomware.</p> <p>They first copied the payload, <code>ttsel.exe</code>, to the C$ share of each host on the network.</p> <pre class="wp-block-preformatted">C:\Windows\system32\cmd.exe /K copy ttsel.exe \\<IP>\c$\windows\temp\</pre> <p><strong>PsExec</strong></p> <p>The threat actor utilized the “-r” option in PsExec to define a custom name (“mstdc”) of the remote service created on the target host (by default is PSEXESVC).</p> <pre class="wp-block-preformatted">psexec.exe \\<IP ADDRESS> -u <DOMAIN>\Administrator -p "<PASSWORD>" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\ttsel.exe</pre> <p>This resulted in the file <code>C:\Windows\mstdc.exe</code> being created on the target endpoint when PsExec was executed.</p> <p><strong>WMI</strong></p> <p>The alternate execution method the actor employed was a WMI call to start a remote process on the target host.</p> <pre class="wp-block-preformatted">wmic /node:"<IP ADDRESS>" /user:"<DOMAIN>\Administrator" /password:"<PASSWORD>" process call create "cmd.exe /c c:\windows\temp\ttsel.exe"</pre> <p>The Quantum ransomware began to encrypt files across all hosts in the environment which then dropped the following ransom note: <code>README_TO_DECRYPT.html</code></p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-23.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6481" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-23.png" alt="" width="1149" height="846" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-23.png 1149w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-23-300x221.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-23-1024x754.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-23-768x565.png 768w" sizes="auto, (max-width: 1149px) 100vw, 1149px" /></a></figure> <p>The Quantum portal had a unique option to create and set a password to the negotiation chat.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-24.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6482" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-24.png" alt="" width="1203" height="631" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-24.png 1203w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-24-300x157.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-24-1024x537.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-24-768x403.png 768w" sizes="auto, (max-width: 1203px) 100vw, 1203px" /></a></figure> <p>Once authenticated, it displays the chat window with the threat actor.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/04/12647-25.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6483" src="https://thedfirreport.com/wp-content/uploads/2022/04/12647-25.png" alt="" width="1197" height="712" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/12647-25.png 1197w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-25-300x178.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-25-1024x609.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/12647-25-768x457.png 768w" sizes="auto, (max-width: 1197px) 100vw, 1197px" /></a></figure> <h2 class="wp-block-heading"> </h2> <h2>Diamond Model</h2> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-6583" src="https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647.png" alt="" width="1557" height="893" srcset="https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647.png 1557w, https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647-300x172.png 300w, https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647-1024x587.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647-768x440.png 768w, https://thedfirreport.com/wp-content/uploads/2022/04/Diamond-Model-Case-12647-1536x881.png 1536w" sizes="auto, (max-width: 1557px) 100vw, 1557px" /></p> <p>Feedback always appreciated: <a href="https://thedfirreport.com/contact/" target="_blank" rel="noopener">https://thedfirreport.com/contact/</a></p> <h2><strong>Indicators</strong></h2> <h3 class="wp-block-heading">Files</h3> <pre class="wp-block-preformatted">docs_invoice_173.iso e051009b12b37c7ee16e810c135f1fef 415b27cd03d3d701a202924c26d25410ea0974d7 5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b<br /><br />dar.dll 4a6ceabb2ce1b486398c254a5503b792 08a1c43bd1c63bbea864133d2923755aa2f74440 4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36<br /><br />document.lnk adf0907a6114c2b55349c08251efdf50 aa25ae2f9dbe514169f4526ef4a61c1feeb1386a 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6<br /><br />adf.bat <br />ebf6f4683d8392add3ef32de1edf29c4 <br />444c704afe4ee33d335bbdfae79b58aba077d10d <br />2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04 <br /><br />Ulfefi32.dll <br />49513b3b8809312d34bb09bd9ea3eb46 <br />445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb <br />6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7 <br /><br />license.dat <br />e9ad8fae2dd8f9d12e709af20d9aefad <br />db7d1545c3c7e60235700af672c1d20175b380cd <br />84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238 <br /><br />ttsel.exe <br />b1eff4fffe66753e5f4265bc5332f72e <br />da2caf36b52d81a0d983407ab143bef8df119b8d <br />b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda <br /><br />p227.dll <br />350f82de99b8696fea6e189fcd4ca454 <br />deea45010006c8bde12a800d73475a5824ca2e6f<br />c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3 </pre> <h3 class="wp-block-heading">Network</h3> <p><strong>IcedID</strong></p> <pre class="wp-block-preformatted">dilimoretast[.]com antnosience[.]com oceriesfornot[.]top 138[.]68.42.130:443 157[.]245.142.66:443 188[.]166.154.118:80</pre> <p><strong>Cobalt Strike</strong></p> <pre class="wp-block-preformatted">C2/IP: 185.203.118[.]227:443 Watermark: 305419776</pre> <h2 class="wp-block-heading">Detections</h2> <h3 class="wp-block-heading">Network</h3> <pre class="wp-block-preformatted">ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke) ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory ET MALWARE Win32/IcedID Request Cookie ET POLICY PE EXE or DLL Windows file download HTTP ET POLICY PsExec service created ET RPC DCERPC SVCCTL - Remote Service Control Manager Access ET POLICY SMB2 NT Create AndX Request For an Executable File ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET POLICY SMB Executable File Transfer</pre> <h3 class="wp-block-heading">Sigma</h3> <div><a href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/PSEXEC%20Custom%20Named%20Service%20Binary" target="_blank" rel="noopener">https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/PSEXEC%20Custom%20Named%20Service%20Binary</a><br /> <div> </div> </div> <p><a href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup" target="_blank" rel="noopener">https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_discovery.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml">https://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml">https://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml</a></p> <p><a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml</a></p> <h3 class="wp-block-heading">Yara</h3> <pre>/*<br />YARA Rule Set<br />Author: The DFIR Report<br />Date: 2022-04-24<br />Identifier: Quantum Case 12647<br />Reference: https://thedfirreport.com<br />*/<br /><br />/* Rule Set ----------------------------------------------------------------- */<br /><br />import "pe"<br /><br />rule docs_invoice_173 {<br />meta:<br />description = "IcedID - file docs_invoice_173.iso"<br />author = "The DFIR Report"<br />reference = "https://thedfirreport.com"<br />date = "2022-04-24"<br />hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"<br />strings:<br />$x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide<br />$x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii<br />$s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide<br />$s4 = "Desktop (C:\\Users\\admin)" fullword wide<br />$s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii<br />$s6 = "1t3Eo8.dll" fullword ascii<br />$s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide<br />$s8 = "DAR.DLL." fullword ascii<br />$s9 = "dar.dll:h" fullword wide<br />$s10 = "document.lnk" fullword wide<br />$s11 = "DOCUMENT.LNK" fullword ascii<br />$s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii<br />$s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii<br />$s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii<br />$s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii<br />$s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii<br />$s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii<br />$s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii<br />$s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii<br />$s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii<br />condition:<br />uint16(0) == 0x0000 and filesize < 600KB and<br />1 of ($x*) and 4 of them<br />}<br /><br />rule quantum_license {<br />meta:<br />description = "IcedID - file license.dat"<br />author = "The DFIR Report"<br />reference = "https://thedfirreport.com"<br />date = "2022-04-24"<br />hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238"<br />strings:<br />$s1 = "W* |[h" fullword ascii<br />$s2 = "PSHN,;x" fullword ascii<br />$s3 = "ephu\"W" fullword ascii<br />$s4 = "LwUw9\\" fullword ascii<br />$s5 = "VYZP~pN," fullword ascii<br />$s6 = "eRek?@" fullword ascii<br />$s7 = "urKuEqR" fullword ascii<br />$s8 = "1zjWa{`!" fullword ascii<br />$s9 = "YHAV{tl" fullword ascii<br />$s10 = "bwDU?u" fullword ascii<br />$s11 = "SJbW`!W" fullword ascii<br />$s12 = "BNnEx1k" fullword ascii<br />$s13 = "SEENI3=" fullword ascii<br />$s14 = "Bthw?:'H*" fullword ascii<br />$s15 = "NfGHNHC" fullword ascii<br />$s16 = "xUKlrl'>`" fullword ascii<br />$s17 = "gZaZ^;Ro2" fullword ascii<br />$s18 = "JhVo5Bb" fullword ascii<br />$s19 = "OPta)}$" fullword ascii<br />$s20 = "cZZJoVB" fullword ascii<br />condition:<br />uint16(0) == 0x44f8 and filesize < 1000KB and<br />8 of them<br />}<br /><br />rule quantum_p227 {<br />meta:<br />description = "Cobalt Strike - file p227.dll"<br />author = "The DFIR Report"<br />reference = "https://thedfirreport.com"<br />date = "2022-04-24"<br />hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3"<br />strings:<br />$s1 = "Remote Event Log Manager4" fullword wide<br />$s2 = "IIdRemoteCMDServer" fullword ascii<br />$s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */<br />$s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */<br />$s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */<br />$s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */<br />$s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */<br />$s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */<br />$s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii<br />$s10 = "%IdThreadMgr" fullword ascii<br />$s11 = "AutoHotkeys<mC" fullword ascii<br />$s12 = "KeyPreview0tC" fullword ascii<br />$s13 = ":dmM:\\m" fullword ascii<br />$s14 = "EFilerErrorH" fullword ascii<br />$s15 = "EVariantBadVarTypeErrorL" fullword ascii<br />$s16 = "IdThreadMgrDefault" fullword ascii<br />$s17 = "Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)" fullword wide<br />$s18 = "CopyMode0" fullword ascii<br />$s19 = "TGraphicsObject0" fullword ascii<br />$s20 = "THintWindow8" fullword ascii<br />condition:<br />uint16(0) == 0x5a4d and filesize < 2000KB and<br />( pe.imphash() == "c88d91896dd5b7d9cb3f912b90e9d0ed" or 8 of them )<br />}<br /><br />rule Ulfefi32 {<br />meta:<br />description = "IcedID - file Ulfefi32.dll"<br />author = "The DFIR Report"<br />reference = "https://thedfirreport.com"<br />date = "2022-04-24"<br />hash1 = "6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7"<br />strings:<br />$s1 = "WZSKd2NEBI.dll" fullword ascii<br />$s2 = "3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f6f0291e8cfbc4802085b8413c" ascii<br />$s3 = "794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8e1b1e0a6f2101ed3a87a73523" ascii<br />$s4 = "ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb1796adece94327ba0d8dfb63c10" ascii<br />$s5 = "bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf226c5d4faa7e78765fd5aa20f8" ascii<br />$s6 = "acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd0851bcef3bc5f828eab7e736d81" ascii<br />$s7 = "e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992da07fada70c018de1ff8f91d4" ascii<br />$s8 = "afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149fdbfbf40b2d06493379a27e16b" ascii<br />$s9 = "3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eed" ascii<br />$s10 = "a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212505b240e629e066ed853fb9f6b" ascii<br />$s11 = "69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab319f49bed09e43f9b6197bf9a66" ascii<br />$s12 = "cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae726d5b2" ascii<br />$s13 = "a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb4b1b12d96d6f38de96212392c3" ascii<br />$s14 = "900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e34d3b31f8151f194cdb8afc85e" ascii<br />$s15 = "35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9cb765a95ff42a7d8b27e62d470a" ascii<br />$s16 = "0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f6d70c03203272740463ff4bcd5" ascii<br />$s17 = "72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab8146dab20a033c28dee789de8046" ascii<br />$s18 = "f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d32981c343bd47b403951b165d2dc0f" ascii<br />$s19 = "9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5ba7f3baac0601ed13ffc4f0a1e" ascii<br />$s20 = "3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae" ascii<br />condition:<br />uint16(0) == 0x5a4d and filesize < 100KB and<br />( pe.imphash() == "81782d8702e074c0174968b51590bf48" and ( pe.exports("FZKlWfNWN") and pe.exports("IMlNwug") and pe.exports("RPrWVBw") and pe.exports("kCXkdKtadW") and pe.exports("pLugSs") and pe.exports("pRNAU") ) or 8 of them )<br />}<br /><br />rule quantum_ttsel {<br />meta:<br />description = "quantum - file ttsel.exe"<br />author = "The DFIR Report"<br />reference = "https://thedfirreport.com"<br />date = "2022-04-24"<br />hash1 = "b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda"<br />strings:<br />$s1 = "DSUVWj ]" fullword ascii<br />$s2 = "WWVh@]@" fullword ascii<br />$s3 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */<br />$s4 = "E4PSSh" fullword ascii /* Goodware String - occured 2 times */<br />$s5 = "tySjD3" fullword ascii<br />$s6 = "@]_^[Y" fullword ascii /* Goodware String - occured 3 times */<br />$s7 = "0`0h0p0" fullword ascii /* Goodware String - occured 3 times */<br />$s8 = "tV9_<tQf9_8tKSSh" fullword ascii<br />$s9 = "Vj\\Yj?Xj:f" fullword ascii<br />$s10 = "1-1:1I1T1Z1p1w1" fullword ascii<br />$s11 = "8-999E9U9k9" fullword ascii<br />$s12 = "8\"8)8H8i8t8" fullword ascii<br />$s13 = "8\"868@8M8W8" fullword ascii<br />$s14 = "3\"3)3>3F3f3m3t3}3" fullword ascii<br />$s15 = "3\"3(3<3]3o3" fullword ascii<br />$s16 = "9 9*909B9" fullword ascii<br />$s17 = "9.979S9]9a9w9" fullword ascii<br />$s18 = "txf9(tsf9)tnj\\P" fullword ascii<br />$s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii<br />$s20 = "<2=7=>=E={=" fullword ascii<br />condition:<br />uint16(0) == 0x5a4d and filesize < 200KB and<br />( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them )<br />}</pre> <h2 class="wp-block-heading">MITRE</h2> <pre class="wp-block-preformatted">T1204 - User Execution T1614.001 - System Location Discovery: System Language Discovery T1218.011 - Signed Binary Proxy Execution: Rundll32 T1059.001 - Command and Scripting Interpreter: PowerShell T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1055 - Process Injection T1055.012 - Process Injection: Process Hollowing T1003.001 - OS Credential Dumping: LSASS Memory T1486 - Data Encrypted for Impact T1482 - Domain Trust Discovery T1021.002 - Remote Services: SMB/Windows Admin Shares T1083 - File and Directory Discovery T1518.001 - Software Discovery: Security Software Discovery T1047 - Windows Management Instrumentation T1087.002 - Account Discovery: Domain Account T1082 - System Information Discovery T1018 - Remote System Discovery T1053.005 - Scheduled Task/Job: Scheduled Task T1071.001 - Web Protocols</pre> <pre class="wp-block-preformatted">S0029 - PsExec S0039 - Net S0100 - ipconfig S0359 - Nltest S0483 - IcedID S0552 - AdFind S0154 - Cobalt Strike</pre> <p>Internal case #12647</p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-6455" class="share-twitter sd-button share-icon" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/?share=twitter" target="_blank" title="Click to share on Twitter" ><span>Twitter</span></a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-6455" class="share-linkedin sd-button share-icon" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/?share=linkedin" target="_blank" title="Click to share on LinkedIn" ><span>LinkedIn</span></a></li><li class="share-reddit"><a rel="nofollow noopener noreferrer" data-shared="" class="share-reddit sd-button share-icon" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/?share=reddit" target="_blank" title="Click to share on Reddit" ><span>Reddit</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-6455" class="share-facebook sd-button share-icon" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/?share=facebook" target="_blank" title="Click to share on Facebook" ><span>Facebook</span></a></li><li class="share-jetpack-whatsapp"><a rel="nofollow noopener noreferrer" data-shared="" class="share-jetpack-whatsapp sd-button share-icon" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/?share=jetpack-whatsapp" target="_blank" title="Click to share on WhatsApp" ><span>WhatsApp</span></a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Related</em></h3> </div> </div> <footer class="entry-footer"> <div class="entry-meta"> </div> </footer> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" rel="prev">Stolen Images Campaign Ends in Conti Ransomware</a></div><div class="nav-next"><a href="https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/" rel="next">SEO Poisoning – A Gootloader Story</a></div></div> </nav> </main> </div> <aside id="secondary" class="widget-area"> <section id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://thedfirreport.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></section><section id="google_translate_widget-5" class="widget widget_google_translate_widget"><div id="google_translate_element"></div></section><section id="block-7" class="widget widget_block"> <div class="wp-block-jetpack-subscriptions__supports-newline wp-block-jetpack-subscriptions"> <div class="wp-block-jetpack-subscriptions__container is-not-subscriber"> <form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="175340963" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" > <div class="wp-block-jetpack-subscriptions__form-elements"> <p id="subscribe-email"> <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text" > Type your email… </label> <input required="required" type="email" name="email" class="no-border-radius " style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field." /> </p> <p id="subscribe-submit" > <input type="hidden" name="action" value="subscribe"/> <input type="hidden" name="blog_id" value="175340963"/> <input type="hidden" name="source" value="https://thedfirreport.com/2022/04/25/quantum-ransomware/"/> <input type="hidden" name="sub-type" value="subscribe-block"/> <input type="hidden" name="app_source" value=""/> <input type="hidden" name="redirect_fragment" value="subscribe-blog"/> <input type="hidden" name="lang" value="en_US"/> <input type="hidden" id="_wpnonce" name="_wpnonce" value="6e40850bd2" /><input type="hidden" name="_wp_http_referer" value="/2022/04/25/quantum-ransomware/" /><input type="hidden" name="post_id" value="6455"/> <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget" > Subscribe </button> </p> </div> </form> </div> </div> </section><section id="block-21" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png" alt="" class="wp-image-35571 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png 200w, https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h4 class="wp-block-heading"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc">Register For Our Next CTF</a></h4> </div></div> </section><section id="block-8" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png" alt="" class="wp-image-21332 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/" data-type="link" data-id="https://thedfirreport.com/">Reports</a></h3> </div></div> </section><section id="block-9" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/threat-intelligence/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png" alt="" class="wp-image-21334 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></h3> </div></div> </section><section id="block-10" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/detection-rules/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png" alt="" class="wp-image-21336 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></h3> </div></div> </section><section id="block-16" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/dfir-labs/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png" alt="" class="wp-image-31051 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png 200w, https://thedfirreport.com/wp-content/uploads/2024/04/labs-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a></h3> </div></div> </section><section id="block-12" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/mentoring-coaching-program/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png" alt="" class="wp-image-21333 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/help4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring and Coaching</a></h3> </div></div> </section></aside> </div> </div> </div> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="copyright-area"> <div class="wrap"> <div class="site-info"> <a href="https://wordpress.org/"> Proudly powered by WordPress</a> <span class="sep"> | </span> Copyright 2023 | The DFIR Report | All Rights Reserved </div> <div class="footer-right-info"> </div> </div> </div> </footer> <button href="#" class="back-to-top" type="button"><i class="fa-solid fa-arrow-up-long"></i>Go Top</button> </div> <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/thedfirreport.com\/2022\/04\/25\/quantum-ransomware\/":6455}; </script> <style id='jetpack-block-subscriptions-inline-css' type='text/css'> .is-style-compact .is-not-subscriber .wp-block-button__link,.is-style-compact .is-not-subscriber .wp-block-jetpack-subscriptions__button{border-end-start-radius:0!important;border-start-start-radius:0!important;margin-inline-start:0!important}.is-style-compact .is-not-subscriber .components-text-control__input,.is-style-compact .is-not-subscriber p#subscribe-email input[type=email]{border-end-end-radius:0!important;border-start-end-radius:0!important}.is-style-compact:not(.wp-block-jetpack-subscriptions__use-newline) .components-text-control__input{border-inline-end-width:0!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form-container{display:flex;flex-direction:column}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) .is-not-subscriber .wp-block-jetpack-subscriptions__form-elements{align-items:flex-start;display:flex}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) p#subscribe-submit{display:flex;justify-content:center}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]{box-sizing:border-box;cursor:pointer;line-height:1.3;min-width:auto!important;white-space:nowrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button[contenteditable=true],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button[contenteditable=true]{white-space:pre-wrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]:disabled,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]:disabled{color:currentColor;opacity:.5}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button{border-color:#0000;border-style:solid}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email{background:#0000;flex-grow:1}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email input[type=email]{height:auto;margin:0;width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-submit,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-submit{line-height:0;margin:0;padding:0}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__show-subs .wp-block-jetpack-subscriptions__subscount{font-size:16px;margin:8px 0;text-align:end}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__form-elements{display:block}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline button{display:inline-block;max-width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__subscount{text-align:start}#subscribe-submit.is-link{text-align:center;width:auto!important}#subscribe-submit.is-link a{margin-left:0!important;margin-top:0!important;width:auto!important}@keyframes jetpack-memberships_button__spinner-animation{to{transform:rotate(1turn)}}.jetpack-memberships-spinner{display:none;height:1em;margin:0 0 0 5px;width:1em}.jetpack-memberships-spinner svg{height:100%;margin-bottom:-2px;width:100%}.jetpack-memberships-spinner-rotating{animation:jetpack-memberships_button__spinner-animation .75s linear infinite;transform-origin:center}.is-loading .jetpack-memberships-spinner{display:inline-block}body.jetpack-memberships-modal-open{overflow:hidden}dialog.jetpack-memberships-modal{opacity:1}dialog.jetpack-memberships-modal,dialog.jetpack-memberships-modal iframe{background:#0000;border:0;bottom:0;box-shadow:none;height:100%;left:0;margin:0;padding:0;position:fixed;right:0;top:0;width:100%}dialog.jetpack-memberships-modal::backdrop{background-color:#000;opacity:.7;transition:opacity .2s ease-out}dialog.jetpack-memberships-modal.is-loading,dialog.jetpack-memberships-modal.is-loading::backdrop{opacity:0} </style> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/navigation.min.js?ver=6.7.2" id="freenews-navigation-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/skip-link-focus-fix.js?ver=6.7.2" id="freenews-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/ResizeSensor.min.js?ver=6.7.2" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/theia-sticky-sidebar.min.js?ver=6.7.2" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick.min.js?ver=6.7.2" id="slick-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick-settings.js?ver=6.7.2" id="freenews-slick-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/jquery.sticky.js?ver=6.7.2" id="jquery-sticky-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/sticky-setting.js?ver=6.7.2" id="freenews-sticky-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/jquery.marquee.min.js?ver=6.7.2" id="marquee-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/marquee-settings.js?ver=6.7.2" id="freenews-marquee-settings-js"></script> <script type="text/javascript" src="https://stats.wp.com/e-202509.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script type="text/javascript" id="jetpack-stats-js-after"> /* <![CDATA[ */ _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"175340963\",\"post\":\"6455\",\"tz\":\"0\",\"srv\":\"thedfirreport.com\",\"j\":\"1:14.3\"}") ]); _stq.push([ "clickTrackerInit", "175340963", "6455" ]); /* ]]> */ </script> <script type="text/javascript" id="google-translate-init-js-extra"> /* <![CDATA[ */ var _wp_google_translate_widget = {"lang":"en_US","layout":"0"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/widgets/google-translate/google-translate.min.js" id="google-translate-init-js"></script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&ver=14.3" id="google-translate-js"></script> <script type="text/javascript" id="jetpack-blocks-assets-base-url-js-before"> /* <![CDATA[ */ var Jetpack_Block_Assets_Base_Url="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/"; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/dom-ready.min.js" id="wp-dom-ready-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/vendor/wp-polyfill.min.js" id="wp-polyfill-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/subscriptions/view.js?minify=false&ver=14.3" id="jetpack-block-subscriptions-js"></script> <script type="text/javascript" id="sharing-js-js-extra"> /* <![CDATA[ */ var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script type="text/javascript" id="sharing-js-js-after"> /* <![CDATA[ */ var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-twitter' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); /* ]]> */ </script> </body> </html>