[ad_1]
A particular due to our Skilled Providers’ IR crew, ShadowServer, for historic context on C2 domains, and Thomas Roccia/Leandro Velasco for malware evaluation help.
Govt Abstract
Following a latest Incident Response, McAfee Enterprise‘s Superior Menace Analysis (ATR) crew labored with its Skilled Providers IR crew to help a case that originally began as a malware incident however finally turned out to be a long-term cyber-attack.
From a cyber-intelligence perspective, one of many greatest challenges is having data on the techniques, methods, and procedures (TTPs) an adversary is utilizing after which holding them updated. Inside ATR we usually monitor many adversaries for years and gather and retailer knowledge, starting from indicators of compromise (IOCs) to the TTPs.
On this report, ATR gives a deep perception into this long-term marketing campaign the place we are going to map out our findings towards the Enterprise MITRE ATT&CK mannequin. There might be components which can be censored since we respect the confidentiality of the sufferer. We will even zoom in and take a look at how the interpretation to the MITRE Strategies, historic context, and proof artifacts like PlugX and Winnti malware led to a hyperlink with one other marketing campaign, which we extremely belief to be executed by the identical adversary.
IOCs that may very well be shared are on the finish of this doc.
McAfee clients are protected against the malware/instruments described on this weblog. MVISION Insights clients could have the complete particulars, IOCs and TTPs shared through their dashboard. MVISION Endpoint, EDR and UCE platforms present signature and behavior-based prevention and detection functionality for most of the methods used on this assault. A extra detailed weblog with particular suggestions on utilizing the McAfee portfolio and built-in companion options to defend towards this assault might be discovered right here.
Technical Evaluation
Preliminary An infection Vectors [TA0001]
Forensic investigations recognized that the actor established preliminary entry by compromising the sufferer’s internet server [T1190]. On the webserver, software program was put in to take care of the presence and storage of instruments [T1105] that may be used to collect details about the sufferer’s community [T1083] and lateral motion/execution of recordsdata [T1570] [T1569.002]. Examples of the instruments found are PSexec, Procdump, and Mimikatz.
Privilege Escalation and Persistence [TA0004, TA0003]
The adversary has been noticed utilizing a number of privilege escalation and persistence methods through the interval of investigation and presence within the community. We are going to spotlight just a few in every class.
Apart from using Mimikatz to dump credentials, the adversaries used two instruments for privilege escalations [T1068]. One of many instruments was “RottenPotato”. That is an open-source instrument that’s used to get a deal with to a privileged token, for instance, “NT AUTHORITYSYSTEM”, to have the ability to execute duties with System rights.
Instance of RottenPotato on elevating these rights:
Determine 1 RottenPotato
The second instrument found, “BadPotato”, is one other open-source instrument that can be utilized to raise consumer rights in the direction of System rights.
Determine 2 BadPotato
The BadPotato code might be discovered on GitHub the place it’s provided as a Visible Studio challenge. We inspected the adversary’s compiled model utilizing DotPeek and hunted for artifacts within the code. Inspecting the File (COFF) header, we noticed the file’s compilation timestamp:
TimeDateStamp: 05/12/2020 08:23:47 – Date and time the picture was created
PlugX
One other main and attribute privilege escalation method the adversary used on this long-term marketing campaign was the malware PlugX as a backdoor. PlugX makes use of the method “DLL Sideloading” [T1574.002]. PlugX was noticed as common the place a single (RAR) executable contained the three components:
- Legitimate executable.
- Related DLL with the hook in the direction of the payload.
- Payload file with the config to speak with Command & Management Server (C2).
The adversary used both the standalone model or distributed three recordsdata on totally different belongings within the community to realize distant management of these belongings. The samples found and analyzed had been speaking in the direction of two domains. Each domains had been registered through the time of the marketing campaign.
One of many PlugX samples consisted of the next three components:
| Filename | Hashes |
| HPCustPartic.exe | SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 |
| HPCustPartUI.dll | SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560 |
| HPCustPartic.bin | SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775 |
The .exe file is a legitimate and signed executable and, on this case, an executable from HP (HP Buyer participation). We additionally noticed different legitimate executables getting used, starting from AV distributors to video software program. When the executable is run, the DLL subsequent to it’s loaded. The DLL is legitimate however accommodates a small hook in the direction of the payload which, in our case, is the .bin file. The DLL masses the PlugX config and injects it right into a course of.
We executed the samples in a check setup and dumped the reminiscence of the machine to conduct reminiscence evaluation with volatility. After the essential forensically sound steps, we ran the malfind plugin to detect attainable injected code in a course of. From the redacted output of the plugin, we noticed the next values for the method with attainable injected code:
Course of: svchost.exe Pid: 860 Handle: 0xb50000
Course of: explorer.exe Pid: 2752 Handle: 0x56a000
Course of: svchost.exe Pid: 1176 Handle: 0x80000
Course of: svchost.exe Pid: 1176 Handle: 0x190000
Course of: rundll32.exe Pid: 3784 Handle: 0xd0000
Course of: rundll32.exe Pid: 3784 Handle: 0x220000
One remark is the point out of the SVCHOST course of with a ProcessID worth of 1176 that’s talked about twice however with totally different addresses. That is much like the RUNDLL32.exe that’s talked about twice with PID 3785 and totally different addresses. One solution to establish what malware might have been used is to dump these processes with the related PID utilizing the procdump module, add them to an internet evaluation service and anticipate the outcomes. Since this can be a very delicate case, we took a distinct method. Utilizing the perfect of each worlds (volatility and Yara) we used a ruleset that consists of malware patterns noticed in reminiscence over time. Working this ruleset over the info within the reminiscence dump revealed the next (redacted for the sake of readability) output:
Determine 3 Output Yarascan reminiscence dump
The output of the Yara rule scan (and there was far more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Additionally, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.
Investigating the dumps after dynamic evaluation, we noticed two domains used for C2 site visitors:
- sery.brushupdata.com
- dnssery.brushupdata.com
Particularly, we noticed the next hardcoded worth that may be one other payload being downloaded:
sery.brushupdata.com/CE1BC21B4340FEC2B8663B69
The PlugX households we noticed used DNS [T1071.001] [T1071.004] because the transport channel for C2 site visitors, specifically TXT queries. Investigating the site visitors from our samples, we noticed the check-in-signature (“20 2A 2F 2A 0D”) that’s typical for PlugX community site visitors:
00000000: 47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45
00000010: 31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54
00000020: 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20
00000030: 2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43
00000040: 57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55
00000050: 71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D
Throughout our evaluation of the totally different PlugX samples found, the domains as talked about above stayed the identical, although the payload values had been totally different. For instance:
- hxxp://sery.brushupdata.com/B4BBDCC029E119719F065622
- hxxp://sery.brushupdata.com/07FDB1B97D22EE6AF2482B1B
- hxxp://sery.brushupdata.com/273CDC0B9C6218BC1187556D
Different PlugX samples we noticed injected themselves into Home windows Media Participant and began a reference to the next two domains:
- middle.asmlbigip.com
- sec.asmlbigip.com
Hi there Winnti
One other mechanism noticed was to start out a program as a service [T1543.003] on the Working System with the acquired System rights through the use of the *Potato instruments. The file the adversary was utilizing gave the impression to be a backdoor that was utilizing the DLL file format (2458562ca2f6fabddae8385cb817c172).
The DLL is used to create a malicious service and its title is “service.dll”. The title of the created service, “SysmainUpdate”, is usurping the title of the respectable service “SysMain” which is expounded to the respectable DLL sysmain.dll and likewise to the Superfetch service. The dll is run utilizing the command “rundll32.exe SuperFrtch.dll, #1”. The export operate has the title “WwanSvcMain”.
The mannequin makes use of the persistence method using svchost.exe with service.dll to put in a rogue service. It seems that the dll employs a number of mechanisms to fingerprint the focused system and keep away from evaluation within the sandbox, making evaluation tougher. The DLL embeds a number of obfuscated strings decoded when operating. As soon as the fingerprinting has been achieved, the malware will set up the malicious service utilizing the API RegisterServiceHandlerA then SetServiceStatus, and at last CreateEventA. An outline of the method might be discovered right here.
The malware additionally decrypts and injects the payload in reminiscence. The next screenshot exhibits the decryption routine.
Determine 4 Decryption routine
After we analyzed this distinctive routine, we found similarities and the point out of it in a publication that may be learn right here. The malware described within the article is attributed to the Winnti malware household. The working technique and the code used within the DLL described within the article are similar to our evaluation and observations.
The method dump additionally revealed additional indicators. Firstly, it revealed artifacts associated to the DLL analyzed, “C:ProgramDataMicrosoftWindowsSuperfRtchSuperfRtch.dat”. We consider that this dat file may be the loaded payload.
Secondly, whereas investigating the method dump, we noticed actions from the backdoor which can be a part of the info exfiltration makes an attempt which we are going to describe in additional element on this evaluation report.
A redacted snippet of the code would seem like this:
Creating archive ***.rar
Including [data from location]
0%
OK
One other indicator of discovering Winnti malware was the next execution path we found within the command line dump of the reminiscence:
cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat
What we noticed right here was using a legitimate executable, the AES 256 decryption key of the payload (.dat file). On this case, the payload file was named utilizing an abbreviation of the sufferer firm’s title. Sadly, the adversary had eliminated the payload file from the system. File carving didn’t work because the disk/unallocated house was overwritten. Nevertheless, reconstructing traces from reminiscence revealed that we had been coping with the Winnti 4.0 malware. The malware was injected right into a SVCHOST course of the place a driver location pointed to the config file. We noticed within the course of dump the exfiltration of knowledge on the system, corresponding to OS, Processor (structure), Area, Username, and many others.
One other clue that helped us was using DNS tunneling by Winnti which we found traces of in reminiscence. The hardcoded 208.67.222.222 resolves to a respectable OpenDNS DNS server. The IP is pushed into the listing generated by the malware at runtime. Initially of the malware, it populates the listing with the system’s DNS, and the OpenDNS server is simply used as a backup to make sure that the C2 area is resolved.
One other indicator within the course of dump was the setup of the C2 connection together with the Person-Agent that has been noticed being utilized by Winnti 4.0 malware:
Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Different Persistence Actions
WMI exercise [T1546.003] was additionally noticed to execute instructions on the techniques.
From a persistence standpoint, scheduled duties [T1053.005] and using legitimate accounts [T1078] acquired by using Mimikatz, or creating LSASS dumps, had been noticed being employed through the size of the marketing campaign.
Lateral Motion
From a lateral motion perspective, the adversary used the obtained credentials to hop from asset to asset. In a single explicit case, we noticed a well-recognized filename: “PsExec.exe”. This SysInternals instrument is usually noticed being utilized in lateral motion by adversaries, nevertheless, it can be utilized by the sysadmins of the community. In our case, the PsExec executable had a file measurement of 9.6 MB the place the unique PsExec (relying on 32- or 64-bit model) had a most file measurement of 1.3 MB. An preliminary static inspection of the file resulted in a blob of code that was current within the executable which had a really excessive entropy rating (7.99). When operating the file from the command line, the next output was noticed:
Determine 5 PsExec output
The error notification and the ‘Impacket’ key phrase tipped us off and, after digging round, we discovered extra. The pretend PsExec is an open-source Python script that could be a PsExec different with shell/backdoor functionality. It makes use of a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/grasp/examples/psexec.pyi. The file is massive because it incorporates a low-level protocol interplay from Impacket. The Python library mixed with the script code is compiled with py2exe. The file was compiled through the time of the newest assault actions and signed with an expired certificates.
Information Exfiltration
From what we noticed, the adversary had a long-term intention to remain current within the sufferer’s community. With excessive confidence, we consider that the adversary was curious about stealing proprietary intelligence that may very well be used for army or mental property/manufacturing functions.
The adversary used a number of methods to exfiltrate the info. In some instances, batch (.bat) scripts had been created to collect data from sure community shares/folders and use the ‘rar’ instrument to compress them to a sure measurement [T1020] [T1030]. Instance of content material in a batch script:
C:Windowswebrar.exe a -[redacted] -r -v50000 [Target-directory]
On different events, guide variants of the above command had been found after utilizing the customized backdoor as described earlier.
When the info was gathered on a neighborhood system utilizing the backdoor, the recordsdata had been exfiltrated over the backdoor and the rar recordsdata had been deleted [T1070.004]. The place exterior going through belongings had been used, like an online server, the info was saved in a location within the Web Data Providers (IIS) internet server and exfiltrated over HTTP utilizing GET requests in the direction of the precise file paths [T1041] [T1567] [T1071].
An instance of the [redacted] internet site visitors within the IIS logfiles:
| Date /Time | Request | TCP Src port | Supply IP | Person-Agent | |
| Redacted | GET /****/[redacted].rar | 80 | 180.50.*.* | MINIXL | |
| redacted | GET /****/[redacted].rar | 80 | 209.58.*.* | MINIXL | |
The supply IP addresses found belonged to 2 totally different ISP/VPN suppliers primarily based in Hong-Kong.
The Person-Agent worth is an attention-grabbing one, “MINIXL”. After we researched that worth, we found a weblog from Dell SecureWorks from 2015 that mentions the identical Person-Agent, but in addition plenty of the artifacts talked about from the weblog overlapped with the observations and TTPs of Operation Harvest [link].
What we may retrieve from open-source databases is that using this explicit Person-Agent may be very restricted and appears to originate from the APAC area.
Who did it?
That appears to be the one-million-dollar query to be requested. Inside McAfee, attribution is just not our principal focus, defending our clients is our precedence. What we do care about is that if we find out about these methods throughout an investigation, can we map them out and help our IR crew on the bottom, or a buyer’s IR crew, with the data that may assist decide which section of the assault the proof is pointing to and primarily based on historic knowledge and intelligence, help in blocking the following section and uncover extra proof?
We began by mapping out all MITRE ATT&CK Enterprise methods and sub-techniques, added the instruments used, and did a comparability towards historic method knowledge from the business. We ended up with 4 teams that shared methods and sub-techniques. The Winnti group was added by us since we found the distinctive encryption operate within the customized backdoor and indicators of using the Winnti malware.
Determine 6 ATT&CK method comparability
The diagram reflecting our final result insinuated that APT27 and APT41 are the most probably candidates that overlap with the (sub-)methods we noticed.
Since all these teams are in a sure time zone, we extracted all timestamps from the forensic investigation on the subject of:
- Registration of area
- Compile timestamps of malware (contemplating deception)
- Timestamps of command-line exercise
- Timestamps of knowledge exfiltration
- Timestamps of malware interplay corresponding to creation, deletion, and many others.
After we transformed all these timestamps from UTC to the aforementioned teams’ time zones, we ended up with the beneath scheme on exercise:
Determine 7 Adversary’s time of operation
On this marketing campaign, we noticed how the adversary largely appears to work from Monday to Thursday and usually throughout workplace hours, albeit with the occasional exception.
Correlating ATT&CK (sub-)methods, timestamps, and instruments like PlugX and Mimikatz will not be the one proof indicators that may assist to establish a attainable adversary. Command-line syntax, particular code similarity, actor functionality over time versus different teams, and distinctive identifiers are on the high of the ‘pyramid of ache’ in risk intelligence. The underside a part of the pyramid is about hashes, URLs, and domains, areas which can be very risky and straightforward to vary by an adversary.
Determine 8 Pyramid of Ache
Past investigating these artifacts, we additionally took attainable geopolitical pursuits and potential deception into consideration when constructing our speculation. After we mapped out all of those, we believed that one of many two beforehand talked about teams had been answerable for the marketing campaign we investigated.
Our focus was not about attribution although, however extra round the place the circulation of the assault is, matches towards earlier assault flows from teams, and what methods/instruments they’re utilizing to dam subsequent steps, or the place to find them. The extra particulars we will collect on the high of ‘the pyramid of ache’, the higher we will decide the possible adversary and its TTP’s.
That’s all People!
Properly, not likely. Whereas correlating the noticed (sub-)methods, the malware households and code, we found one other focused assault towards the same goal in the identical nation with the foremost motivation of gathering intelligence. Within the following diagram we performed a high-level comparability of the instruments being utilized by the adversary:
Determine 9 Instruments comparability
Though among the instruments are distinctive to every marketing campaign, if considered over time with once they had been used, it is sensible. It demonstrates the event of the actor and use of newer instruments to conduct lateral motion and to acquire the required degree of consumer rights on techniques.
General, we noticed the identical modus operandi. As soon as an preliminary foothold was established, the adversary would deploy PlugX initially to create just a few backdoors within the sufferer’s community in case they had been found early on. After that, utilizing Mimikatz and dumping lsass, they had been trying to get legitimate accounts. As soon as legitimate accounts had been acquired, a number of instruments together with a few of their very own instruments had been used to realize details about the sufferer’s community. From there, a number of shares/servers had been accessed, and data gathered. That data was exfiltrated as rar recordsdata and positioned on an internet-facing server to cover within the ‘regular’ site visitors. We signify that within the following graphic:
Determine 10 Assault circulation
Within the 2019/2020 case we additionally noticed using a malware pattern that we might classify as a part of the Winnti malware household. We found a few recordsdata that had been executed by the next command:
Begin Ins64.exe E370AA8DA0 Jumper64.dat
The Winnti loader ‘Ins64.exe’ makes use of the worth ‘E370AA8DA0’ to decrypt the payload from the .dat file utilizing the AES-256-CTR decryption algorithm and begins to execute.
After executing this command and analyzing the reminiscence, we noticed a course of injection in one of many svchost processes whereby one explicit file was loaded from the next path:
C:programdatamicrosoftwindowscachesieupdate.dll
Determine 11 Reminiscence seize
The malware began to open up each UDP and TCP ports to attach with a C2 server.
UDP Port 20502
TCP Port 20501
Determine 12 Community connections to C2
Capturing the site visitors from the malware we noticed the next for example:
Determine 13 Winnti HTTP site visitors to C2
The packet knowledge was custom-made and despatched by a POST request with a number of headers in the direction of the C2. Within the above screenshot the numbers after “POST /” had been randomly generated.
The Person-Agent is an effective community indicator to establish the Winnti malware since it’s utilized in a number of variants:
Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Certainly, the identical Person Agent worth was found within the Winnti pattern in Operation Harvest and appears to be typical for this malware household.
The cookie worth consists of 4 Dword hex values that include details about the custom-made packet measurement utilizing a XOR worth.
We realized extra in regards to the packet construction of Winnti from this hyperlink.
Making use of what we realized in regards to the handshake, we noticed the next in our site visitors pattern:
Dword worth 0 = 52 54 00 36
Dword worth 1 = 3e ff 06 b2
Dword worth 2 = 99 6d 78 fe
Dword worth 3 = 08 00 45 00
Dword worth 4 = 00 34 00 47
Preliminary handshake order:
Based mostly on our cross-correlation with samples and different OSINT assets, we consider with a excessive confidence that this was a Winnti 4.0 pattern that connects with a confirmed Winnti C2 server.
The recognized C2 server was 185.161.211.97 TCP/80.
Timeline of Occasions
When analyzing the timestamps from this investigation, like we did for operation Harvest, we got here to the beneath overview:
Determine 14 Beijing working hours case 2019/2020
Once more, we noticed that the adversary was working Monday to Friday throughout workplace hours within the Beijing time-zone.
Conclusion
Operation Harvest has been a long-term operation whereby an adversary maintained entry for a number of years to exfiltrate knowledge. The exfiltrated knowledge would have both been a part of an mental property theft for financial functions and/or would have supplied insights that may be useful in case of army interventions. The adversaries made use of methods fairly often noticed in this type of assault but in addition used distinctive new backdoors or variants of current malware households. Combining all forensic artifacts and cross-correlation with historic and geopolitical knowledge, we now have excessive confidence that this operation was executed by an skilled APT actor.
After mapping out all knowledge, TTP’s and many others., we found a really robust overlap with a marketing campaign noticed in 2019/2020. Plenty of the (in-depth) technical indicators and methods match. Additionally placing it into perspective, and over time, it demonstrates the adversary is adapting abilities and evolving the instruments and methods getting used.
On a separate be aware, we noticed using the Winnti malware. We intentionally point out the time period ‘malware’ as a substitute of group. The Winnti malware is understood for use by a number of actors. Inside each nation-state cyber-offensive exercise, there might be a division/unit answerable for the creation of the instruments/malware, and many others. We strongly consider that’s precisely what we observe right here as effectively. PlugX, Winnti and another customized instruments all level to a gaggle that had entry to the identical instruments. Whether or not we put title ‘X’ or ‘Y’ on the adversary, we strongly consider that we’re coping with a Chinese language actor whose long-term goals are persistence of their victims’ networks and the acquisition of the intelligence wanted to make political/strategic or manufacturing selections.
MITRE ATT&CK Strategies
| Method ID | Method Title | Context Marketing campaign |
| T1190 | Exploit Public-facing software | Adversary exploited a web-facing server with software |
| T1105 | Ingress Software switch | Instruments had been transferred to a compromised web-facing server |
| T1083 | File & Listing Discovery | Adversary browsed a number of areas to seek for the info they had been after. |
| T1570 | Lateral Software Switch | Adversary transferred instruments/backdoors to take care of persistence |
| T1569.002 | System Providers: Service Execution | Adversary put in customized backdoor as a service |
| T1068 | The exploitation of Privilege Escalation | Adversary used Rotten/Unhealthy Potato to raise consumer rights by abusing API calls within the Working System. |
| T1574.002 | Hijack Execution Movement: DLL Facet-Loading | Adversary used PlugX malware that’s well-known for DLL-Facet-Loading utilizing a legitimate executable, a DLL with the hook in the direction of a payload file. |
| T1543.003 | Create or Modify System Course of: Home windows Service | Adversary launched backdoor and a few instruments as a Home windows Service together with including of registry keys |
| T1546.003 | Occasion-Triggered Execution: WMI Occasion Subscription | WMI was used for operating instructions on distant techniques |
| T1053.005 | Scheduled process | Adversary ran scheduled duties for persistence of sure malware samples |
| T1078 | Legitimate accounts | Utilizing Mimikatz and dumping of lsass, the adversary gained credentials within the community |
| T1020 | Automated exfiltration | The PlugX malware exfiltrated knowledge in the direction of a C2 and obtained instructions to collect extra details about the sufferer’s compromised host. |
| T1030 | Information switch measurement limits | Adversary restricted the scale of rar recordsdata for exfiltration |
| T1070.004 | Indicator removing on host | The place at first of the marketing campaign the adversary was sloppy, over the past months of exercise they turned extra cautious and began to take away proof |
| T1041 | Exfiltration over C2 channel | Adversary used a number of C2 domains to work together with compromised hosts. |
| T1567 | Exfiltration over Net Service | Gathered data was saved as ‘rar’ recordsdata on the internet-facing server, whereafter they had been downloaded by a particular ip vary. |
| T1071.004 | Utility layer protocol: DNS | Utilizing DNS tunneling for the C2 site visitors of the PlugX malware |
Indicators of Compromise (IOCs)
Word: the symptoms shared are for use in a historic and timeline-based context, starting from 2016 to March 2021.
Operation Harvest:
PlugX C2:
| sery(.)brushupdata(.)com |
| Dnssery(.)brushupdata(.)com |
| Heart(.)asmlbigip(.)com |
Instruments:
Mimikatz
PsExec
RottenPotato
BadPotato
Operation 2019/2020
PlugX malware:
f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498
26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01
e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe
Winnti:
800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4
c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104
df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f
Winnti C2: 185.161.211.97
Instruments:
PSW64 6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6
NTDSDumpEx 6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96
NBTSCAN c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
NetSess ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d
Smbexec e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee
Wmiexec 14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8
Mimikatz
RAR command-line
TCPdump
[ad_2]
