TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

editor · 2025-09-08 · Read original ↗

ATT&CK techniques detected

98 predictions
T1003.001LSASS Memory
100%
“this report, the file hash for the executable c : \ users \ public \ music \ ccs. exe returned a direct match for the betruger backdoor. according to research conducted by the symantec team, this backdoor is multifunctional and includes modules designed for credential dumping. th…”
T1046Network Service Discovery
99%
“txt here ’ s the command line options breakdown : - m : scan - sets the mode / method to scan. - i : f - input parameters set to " f " ( file ) - d : list. txt - destination parameter pointing to list. txt. can be used to load target ips. gt _ net. exe generated 3, 861 internal d…”
T1021.001Remote Desktop Protocol
99%
“organization ’ s infrastructure and understood how to navigate between systems to access sensitive data efficiently. one notable document sought out and opened by the threat actor was an insurance policy document covering cyber intrusions. where zipped files were found, these wer…”
T1070.006Timestomp
99%
“actor performed potentially time - stomping activities by manipulating the metadata of the exportdata. db file, which contained the scan results, by executing the “ gt _ net. exe ” binary. this timestomping occurred immediately after gt _ net. exe created the exportdata. db file,…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
98%
“host. njalla [. ] net has been classified as a phishing domain. based on symantec ’ s analysis, the file was identified as the betruger malware, a multi - functional backdoor. the malware established command and control ( c2 ) communication over multiple ip addresses using ports …”
T1560.001Archive via Utility
98%
“on day six, multiple windows event ids 4776 ( credential validation ) were observed, indicating successful network authentication attempts against the beachhead system. the source workstation associated with these authentication events win - flgu1cc210k had not been observed in a…”
T1486Data Encrypted for Impact
98%
“, we identified multiple indicators linked to three distinct ransomware groups. the detailed attribution matrix is as follows. timeline diamond model indicators atomic 45. 141. 87. 55 - msbuild. exe c2 ( sectoprat ) 149. 28. 101. 219 - wakewordengine. dll / conhost. dll ( systemb…”
T1003.006DCSync
98%
“backup. common. protectedstorage ] : : getlocalstring ( $ encoded ) write - host " = = = = = = = = = = = = = = = = = = " write - host " user _ name : " $ myarray. user _ name [ $ i ] write - host " password : " $ pass write - host " description : " $ myarray. description [ $ i ] …”
T1486Data Encrypted for Impact
96%
“blurring the lines : intrusion shows connection with three major ransomware gangs blurring the lines : intrusion shows connection with three major ransomware gangs key takeaways - the intrusion began when a user downloaded and executed a malicious file impersonating desksoft ’ s …”
T1055.001Dynamic-link Library Injection
96%
“loader, a malware delivery mechanism that leverages legitimate remote management tools to deploy rats like sectoprat. this msbuild. exe process then wrote the malicious executable c : \ users \ public \ music \ wakewordengine. dll. this file write event triggered the following si…”
T1195.002Compromise Software Supply Chain
95%
“: / / cwe. mitre. org / data / definitions / 427. html ) we discovered that this vulnerability applies to all software provided by desksoft. execution earthtime. exe the earthtime. exe binary was executed from the downloads folder. the parent process was explorer. exe, suggesting…”
T1090.001Internal Proxy
95%
“55 ¦ tgtport : 9000 ¦ proc : c : \ windows \ microsoft. net \ framework \ v4. 0. 30319 \ msbuild. exe systembc shortly after the command - and - control ( c2 ) channel was established via the sectoprat malware, a new file named wakewordengine. dll ( also observed later in the int…”
T1005Data from Local System
94%
“before performing additional archiving operations on specific files, e. g. " c : \ program files \ winrar \ winrar. exe " a - ep1 - scul - r0 - iext - imon1 - -. f : \ shares \ redacted \ redacted the threat actor also deployed a tool named fs64. exe, a custom tool designed for a…”
T1190Exploit Public-Facing Application
94%
“##a99447515 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 sh. exe 829a9dfd2cdcf50519a1cec1f529854b 5bf41754bfb3a18611b2a02f7f385960ed24f8e1 a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7cf528f40deed netscan. exe 27…”
T1059.001PowerShell
93%
“##rat ) with the following signature : windows. trojan. arechclient2 sectoprat is widely known to have information - stealing capabilities, which are on display in the strings from this particular dump. the strings reference scans for various services, including steam, discord, t…”
T1055Process Injection
92%
“unusual for it to be executed with no command - line arguments. red canary has previously observed this activity linked to the sectoprat / arechclient2, a. net rat tool, which also inspired the following threat hunting query, which would detect this activity. process chains where…”
T1087.002Domain Account
91%
“csv file : import - module activedirectory ; get - adcomputer - filter { enabled - eq $ true } - properties * | select comment, description, name, dnshostname, operatingsystem, lastlogondate, ipv4address | export - csv c : \ users \ public \ music \ allwindows. csv - notypeinform…”
T1080Taint Shared Content
91%
“blurring the lines : intrusion shows connection with three major ransomware gangs blurring the lines : intrusion shows connection with three major ransomware gangs key takeaways - the intrusion began when a user downloaded and executed a malicious file impersonating desksoft ’ s …”
T1071.001Web Protocols
91%
“##332ce16ee0c393b8eea6e71863ad41e3caeafd 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 detections network et malware arechclient2 backdoor / sectoprat related activity m2 ( get ) et malware arechclient2 backdoor / sectoprat cnc init threatfox sectoprat botnet c…”
T1218.011Rundll32
91%
“multiple compromised servers throughout the intrusion. in most instances, it retained the same filename observed on the initial beachhead system ( wakewordengine. dll ) ; however, on the domain controller it was renamed to conhost. dll which corresponds to the filename identified…”
T1197BITS Jobs
90%
“, the vhd. dll would ask for a key, which is needed in order to fully execute the program. while checking the codes, we observed vhd. dll is a loader that asks for a key to decrypt a local file ( data. dat ) containing a hidden payload. once decrypted, it executes the payload to …”
T1003.006DCSync
90%
“new local account and assigning it local administrative privileges. soon after establishing the initial access, the malware deployed systembc. they then accessed the beachhead host via rdp using the newly created local account and executed discovery commands. at this stage, the t…”
T1021.002SMB/Windows Admin Shares
89%
“##2 exfiltration over alternative protocol - t1048 file and directory discovery - t1083 group policy discovery - t1615 lateral tool transfer - t1570 local account - t1087. 001 local account - t1136. 001 local groups - t1069. 001 lsass memory - t1003. 001 malicious file - t1204. 0…”
T1486Data Encrypted for Impact
88%
“##ip : 10. 65. 45 [. ] 223 ¦ tgtport : 3389 ¦ proc : c : \ windows \ syswow64 \ rundll32. exe the activity exposed the client names of the computers used by the threat actor. during the intrusion, the following client names were observed : desktop - a1hrtmj, desktop - pgd76ht, de…”
T1071.001Web Protocols
88%
“87 [. ] 55. this ip was tracked by the dfir report threat intelligence group as an active sectoprat c2 server from august 8th 2024 through november 23rd 2024. the rule “ et malware arechclient2 backdoor / sectoprat cnc init ” fired when network traffic to the destination port 156…”
T1486Data Encrypted for Impact
88%
“winscp to an ftp server hosted by a cloud provider in clear text. - the discovery of grixba ( a reconnaissance tool linked to play ransomware ), a previous netscan output containing data from a company reportedly compromised by dragonforce ransomware, and the use of the betruger …”
T1055.001Dynamic-link Library Injection
87%
“reconnaissance, privilege escalation, and credential harvesting. this extensive functionality suggests that betruger was explicitly developed to streamline ransomware operations by reducing the number of distinct tools that need to be deployed on a compromised network during the …”
T1112Modify Registry
86%
“commonly deployed by ransomhub affiliates. this malware was designed with extensive metadata mimicking avast antivirus, including legitimate - appearing product names, version numbers, and copyright information. the threat actors even used a filename convention ( “ aswavboottimes…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
84%
“##filtration. we also discovered a winscp. ini configuration file used by the winscp application. the threat actor utilized winscp to perform data exfiltration, as detailed in the exfiltration section of this report. this winscp configuration reveals that the threat actor configu…”
T1087.002Domain Account
83%
“connections, all of which triggered the sigma rule ‘ network connection initiated from process located in potentially suspicious or uncommon location ’ : sh. exe also wrote the following files, indicative of bloodhound / sharphound execution. the writing of these files triggered …”
T1569.002Service Execution
81%
“55a5 - 4bb9 - 8c21 - 0b1fc84ea9e4 : psexec remote execution file artifact 7c0dcd3d - acf8 - 4f71 - 9570 - f448b0034f94 : psexec service child process execution as local system 9a132afa - 654e - 11eb - ae93 - 0242ac130002 : pua – adfind suspicious execution b447f7de - 1e53 - 4cbf …”
T1055.001Dynamic-link Library Injection
81%
“parameter, the adversaries were able to execute malicious binaries with system - level privileges, effectively escalating from their initial user - level access to the highest administrative privileges on the windows system. defense evasion during the initial access malware execu…”
T1218.011Rundll32
80%
“reconnaissance, privilege escalation, and credential harvesting. this extensive functionality suggests that betruger was explicitly developed to streamline ransomware operations by reducing the number of distinct tools that need to be deployed on a compromised network during the …”
T1197BITS Jobs
80%
“3672 - 458e - b362 - b3cedba992ba : grixba reconnaissance tool execution 97350071 - 6934 - 4d1e - 863d - 23b7f51fb17d : sharphound active directory enumeration tool execution sigma repo : 17d619c1 - e020 - 4347 - 957e - 1d1207455c93 : active directory replication from non machine…”
T1127.001MSBuild
78%
“##dll. dll ’ s ldrloaddll function, which can be used for dll loading : the full initial access and execution chain is captured below : ccs. exe on day six, msbuild. exe wrote c : \ users \ public \ music \ ccs. exe to disk. the ccs. exe binary was subsequently executed with msbu…”
T1059.001PowerShell
78%
“##a6a0f771ab20ce2037d2c4ef5783 ac0fcbc148e45e172c9be0acf9c307186f898803 aeaf7cc7364a44b381af9f317fe6f78c2717217800b93bee8839ab3e56233254 grb _ net. exe 88df27b6e794e3fd5f93f28b1ca1d3d0 2114d655805f465d11b720830d150c145039bcd4 f8810179ab033a9b79cd7006c1a74fbcde6ed0451c92fbb8c7ce15…”
T1204.002Malicious File
77%
“on day six, multiple windows event ids 4776 ( credential validation ) were observed, indicating successful network authentication attempts against the beachhead system. the source workstation associated with these authentication events win - flgu1cc210k had not been observed in a…”
T1210Exploitation of Remote Services
76%
“##2 exfiltration over alternative protocol - t1048 file and directory discovery - t1083 group policy discovery - t1615 lateral tool transfer - t1570 local account - t1087. 001 local account - t1136. 001 local groups - t1069. 001 lsass memory - t1003. 001 malicious file - t1204. 0…”
T1055.001Dynamic-link Library Injection
76%
“55a5 - 4bb9 - 8c21 - 0b1fc84ea9e4 : psexec remote execution file artifact 7c0dcd3d - acf8 - 4f71 - 9570 - f448b0034f94 : psexec service child process execution as local system 9a132afa - 654e - 11eb - ae93 - 0242ac130002 : pua – adfind suspicious execution b447f7de - 1e53 - 4cbf …”
T1036.005Match Legitimate Resource Name or Location
76%
“parameter, the adversaries were able to execute malicious binaries with system - level privileges, effectively escalating from their initial user - level access to the highest administrative privileges on the windows system. defense evasion during the initial access malware execu…”
T1588.001Malware
74%
“winscp to an ftp server hosted by a cloud provider in clear text. - the discovery of grixba ( a reconnaissance tool linked to play ransomware ), a previous netscan output containing data from a company reportedly compromised by dragonforce ransomware, and the use of the betruger …”
T1021.001Remote Desktop Protocol
73%
“blurring the lines : intrusion shows connection with three major ransomware gangs blurring the lines : intrusion shows connection with three major ransomware gangs key takeaways - the intrusion began when a user downloaded and executed a malicious file impersonating desksoft ’ s …”
T1046Network Service Discovery
72%
“user enumeration, nltest for domain trust relationship analysis, and ping for network connectivity testing. the cmd. exe process spawned by betruger also wrote several suspicious hidden files indicative of discovery in the user ’ s downloads directory, which was also the currentd…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
72%
“. based on the wireshark capture below, the threat actor connected to an ftp server and began uploading the rar files they created during data staging, starting with “ mdtm * * * * it. part1. rar ”. the session shows them navigating directories using standard ftp commands ( pwd, …”
T1486Data Encrypted for Impact
72%
“commonly deployed by ransomhub affiliates. this malware was designed with extensive metadata mimicking avast antivirus, including legitimate - appearing product names, version numbers, and copyright information. the threat actors even used a filename convention ( “ aswavboottimes…”
T1059.001PowerShell
71%
“connections, all of which triggered the sigma rule ‘ network connection initiated from process located in potentially suspicious or uncommon location ’ : sh. exe also wrote the following files, indicative of bloodhound / sharphound execution. the writing of these files triggered …”
T1048Exfiltration Over Alternative Protocol
71%
“##filtration. we also discovered a winscp. ini configuration file used by the winscp application. the threat actor utilized winscp to perform data exfiltration, as detailed in the exfiltration section of this report. this winscp configuration reveals that the threat actor configu…”
T1080Taint Shared Content
71%
“winscp to an ftp server hosted by a cloud provider in clear text. - the discovery of grixba ( a reconnaissance tool linked to play ransomware ), a previous netscan output containing data from a company reportedly compromised by dragonforce ransomware, and the use of the betruger …”
T1003OS Credential Dumping
68%
“##rat ) with the following signature : windows. trojan. arechclient2 sectoprat is widely known to have information - stealing capabilities, which are on display in the strings from this particular dump. the strings reference scans for various services, including steam, discord, t…”
T1486Data Encrypted for Impact
65%
“. based on the wireshark capture below, the threat actor connected to an ftp server and began uploading the rar files they created during data staging, starting with “ mdtm * * * * it. part1. rar ”. the session shows them navigating directories using standard ftp commands ( pwd, …”
T1018Remote System Discovery
65%
“##2 exfiltration over alternative protocol - t1048 file and directory discovery - t1083 group policy discovery - t1615 lateral tool transfer - t1570 local account - t1087. 001 local account - t1136. 001 local groups - t1069. 001 lsass memory - t1003. 001 malicious file - t1204. 0…”
T1219Remote Access Tools
61%
“organization ’ s infrastructure and understood how to navigate between systems to access sensitive data efficiently. one notable document sought out and opened by the threat actor was an insurance policy document covering cyber intrusions. where zipped files were found, these wer…”
T1055.001Dynamic-link Library Injection
58%
“##dll. dll ’ s ldrloaddll function, which can be used for dll loading : the full initial access and execution chain is captured below : ccs. exe on day six, msbuild. exe wrote c : \ users \ public \ music \ ccs. exe to disk. the ccs. exe binary was subsequently executed with msbu…”
T1055.001Dynamic-link Library Injection
57%
“unusual for it to be executed with no command - line arguments. red canary has previously observed this activity linked to the sectoprat / arechclient2, a. net rat tool, which also inspired the following threat hunting query, which would detect this activity. process chains where…”
T1218System Binary Proxy Execution
57%
“55a5 - 4bb9 - 8c21 - 0b1fc84ea9e4 : psexec remote execution file artifact 7c0dcd3d - acf8 - 4f71 - 9570 - f448b0034f94 : psexec service child process execution as local system 9a132afa - 654e - 11eb - ae93 - 0242ac130002 : pua – adfind suspicious execution b447f7de - 1e53 - 4cbf …”
T1027.015Compression
56%
“on day six, multiple windows event ids 4776 ( credential validation ) were observed, indicating successful network authentication attempts against the beachhead system. the source workstation associated with these authentication events win - flgu1cc210k had not been observed in a…”
T1685Disable or Modify Tools
56%
“commonly deployed by ransomhub affiliates. this malware was designed with extensive metadata mimicking avast antivirus, including legitimate - appearing product names, version numbers, and copyright information. the threat actors even used a filename convention ( “ aswavboottimes…”
T1059.001PowerShell
55%
“executable and archived specific file shares. they transferred the resulting archives to a u. s. based cloud host over unencrypted ftp using winscp. this enabled the retrieval of credentials, among other details, during traffic analysis. the threat actor also resumed discovery ac…”
T1021.002SMB/Windows Admin Shares
53%
“, 445 ( smb ) and 3389 ( rdp ) across 46 ip addresses. during the netscan execution on the domain controller, we observed the creation of a file called delete. me on the c $ share of the beachhead workstation, logged by event id 5145. this activity has been previously observed re…”
T1036.005Match Legitimate Resource Name or Location
53%
“##ecutables bearing certificates from this entity. according to cert central lookup database, brave pragmatic network technology co., ltd. is a known malicious signer that has been observed signing sectoprat samples, with certificates issued by globalsign gcc r45 ev codesigning c…”
T1021.006Windows Remote Management
52%
“authentication sequences. this specific logon pattern was likely facilitated by systembc malware ’ s proxy capabilities, which enabled the threat actor to establish rdp connections through compromised systems. notably, the windows security event logs disclosed the host names of t…”
T1482Domain Trust Discovery
52%
“connections, all of which triggered the sigma rule ‘ network connection initiated from process located in potentially suspicious or uncommon location ’ : sh. exe also wrote the following files, indicative of bloodhound / sharphound execution. the writing of these files triggered …”
T1204.002Malicious File
51%
“. based on the wireshark capture below, the threat actor connected to an ftp server and began uploading the rar files they created during data staging, starting with “ mdtm * * * * it. part1. rar ”. the session shows them navigating directories using standard ftp commands ( pwd, …”
T1136.001Local Account
51%
“##t _ dbg. lnk and placed it in the c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup \ directory. through the creation of this startup entry, the threat actor successfully established a persistence mechanism with chromealt _ d…”
T1047Windows Management Instrumentation
51%
“authentication sequences. this specific logon pattern was likely facilitated by systembc malware ’ s proxy capabilities, which enabled the threat actor to establish rdp connections through compromised systems. notably, the windows security event logs disclosed the host names of t…”
T1210Exploitation of Remote Services
50%
“, 445 ( smb ) and 3389 ( rdp ) across 46 ip addresses. during the netscan execution on the domain controller, we observed the creation of a file called delete. me on the c $ share of the beachhead workstation, logged by event id 5145. this activity has been previously observed re…”
T1486Data Encrypted for Impact
50%
“, 445 ( smb ) and 3389 ( rdp ) across 46 ip addresses. during the netscan execution on the domain controller, we observed the creation of a file called delete. me on the c $ share of the beachhead workstation, logged by event id 5145. this activity has been previously observed re…”
T1204.002Malicious File
48%
“, including process injection, timestomping, disabling microsoft defender ’ s protections, and deploying binaries with spoofed metadata to disguise themselves as legitimate cybersecurity tools such as sentinelone and avast antivirus. while no final actions were observed during th…”
T1080Taint Shared Content
47%
“, 445 ( smb ) and 3389 ( rdp ) across 46 ip addresses. during the netscan execution on the domain controller, we observed the creation of a file called delete. me on the c $ share of the beachhead workstation, logged by event id 5145. this activity has been previously observed re…”
T1048Exfiltration Over Alternative Protocol
46%
“. based on the wireshark capture below, the threat actor connected to an ftp server and began uploading the rar files they created during data staging, starting with “ mdtm * * * * it. part1. rar ”. the session shows them navigating directories using standard ftp commands ( pwd, …”
T1569.002Service Execution
46%
“config file, it ’ s clear that the threat actors tweaked it to suit their needs, with a big focus on using psexec to run scripts remotely. this setup enables them to deploy batch files, such as newuser. bat, openrdp. bat, and start. bat across the network. this opens the door to …”
T1021.006Windows Remote Management
45%
“executable and archived specific file shares. they transferred the resulting archives to a u. s. based cloud host over unencrypted ftp using winscp. this enabled the retrieval of credentials, among other details, during traffic analysis. the threat actor also resumed discovery ac…”
T1204.002Malicious File
45%
“: / / cwe. mitre. org / data / definitions / 427. html ) we discovered that this vulnerability applies to all software provided by desksoft. execution earthtime. exe the earthtime. exe binary was executed from the downloads folder. the parent process was explorer. exe, suggesting…”
T1080Taint Shared Content
45%
“, we identified multiple indicators linked to three distinct ransomware groups. the detailed attribution matrix is as follows. timeline diamond model indicators atomic 45. 141. 87. 55 - msbuild. exe c2 ( sectoprat ) 149. 28. 101. 219 - wakewordengine. dll / conhost. dll ( systemb…”
T1003OS Credential Dumping
44%
“this report, the file hash for the executable c : \ users \ public \ music \ ccs. exe returned a direct match for the betruger backdoor. according to research conducted by the symantec team, this backdoor is multifunctional and includes modules designed for credential dumping. th…”
T1080Taint Shared Content
44%
“##ip : 10. 65. 45 [. ] 223 ¦ tgtport : 3389 ¦ proc : c : \ windows \ syswow64 \ rundll32. exe the activity exposed the client names of the computers used by the threat actor. during the intrusion, the following client names were observed : desktop - a1hrtmj, desktop - pgd76ht, de…”
T1547.001Registry Run Keys / Startup Folder
44%
“##t _ dbg. lnk and placed it in the c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup \ directory. through the creation of this startup entry, the threat actor successfully established a persistence mechanism with chromealt _ d…”
T1218System Binary Proxy Execution
43%
“##ecutables bearing certificates from this entity. according to cert central lookup database, brave pragmatic network technology co., ltd. is a known malicious signer that has been observed signing sectoprat samples, with certificates issued by globalsign gcc r45 ev codesigning c…”
T1574Hijack Execution Flow
43%
“loader, a malware delivery mechanism that leverages legitimate remote management tools to deploy rats like sectoprat. this msbuild. exe process then wrote the malicious executable c : \ users \ public \ music \ wakewordengine. dll. this file write event triggered the following si…”
T1219Remote Access Tools
42%
“blurring the lines : intrusion shows connection with three major ransomware gangs blurring the lines : intrusion shows connection with three major ransomware gangs key takeaways - the intrusion began when a user downloaded and executed a malicious file impersonating desksoft ’ s …”
T1563.002RDP Hijacking
41%
“organization ’ s infrastructure and understood how to navigate between systems to access sensitive data efficiently. one notable document sought out and opened by the threat actor was an insurance policy document covering cyber intrusions. where zipped files were found, these wer…”
T1078Valid Accounts
41%
“blurring the lines : intrusion shows connection with three major ransomware gangs blurring the lines : intrusion shows connection with three major ransomware gangs key takeaways - the intrusion began when a user downloaded and executed a malicious file impersonating desksoft ’ s …”
T1021.002SMB/Windows Admin Shares
41%
“executable and archived specific file shares. they transferred the resulting archives to a u. s. based cloud host over unencrypted ftp using winscp. this enabled the retrieval of credentials, among other details, during traffic analysis. the threat actor also resumed discovery ac…”
T1218System Binary Proxy Execution
41%
“##dll. dll ’ s ldrloaddll function, which can be used for dll loading : the full initial access and execution chain is captured below : ccs. exe on day six, msbuild. exe wrote c : \ users \ public \ music \ ccs. exe to disk. the ccs. exe binary was subsequently executed with msbu…”
T1003OS Credential Dumping
41%
“win _ systembc _ auto ditekshen _ malware _ win _ exepwsh _ dlagent telekom _ security _ win _ systembc _ 20220311 ext _ mal _ systembc _ mar22 _ 1 elastic _ windows _ trojan _ systembc _ c1b58c2f susp _ xored _ url _ in _ exe ditekshen _ malware _ win _ arechclient2 elastic _ wi…”
T1036.005Match Legitimate Resource Name or Location
39%
“##dll. dll ’ s ldrloaddll function, which can be used for dll loading : the full initial access and execution chain is captured below : ccs. exe on day six, msbuild. exe wrote c : \ users \ public \ music \ ccs. exe to disk. the ccs. exe binary was subsequently executed with msbu…”
T1021.001Remote Desktop Protocol
39%
“authentication sequences. this specific logon pattern was likely facilitated by systembc malware ’ s proxy capabilities, which enabled the threat actor to establish rdp connections through compromised systems. notably, the windows security event logs disclosed the host names of t…”
T1127.001MSBuild
38%
“##ecutables bearing certificates from this entity. according to cert central lookup database, brave pragmatic network technology co., ltd. is a known malicious signer that has been observed signing sectoprat samples, with certificates issued by globalsign gcc r45 ev codesigning c…”
T1566.004Spearphishing Voice
38%
“, including process injection, timestomping, disabling microsoft defender ’ s protections, and deploying binaries with spoofed metadata to disguise themselves as legitimate cybersecurity tools such as sentinelone and avast antivirus. while no final actions were observed during th…”
T1218.004InstallUtil
37%
“##ecutables bearing certificates from this entity. according to cert central lookup database, brave pragmatic network technology co., ltd. is a known malicious signer that has been observed signing sectoprat samples, with certificates issued by globalsign gcc r45 ev codesigning c…”
T1059.001PowerShell
37%
“new - object system. data. sqlclient. sqlconnection " $ sqlconnection. connectionstring = \ " server = $ sqlserver ; database = $ sqldbname ; integrated security = true \ " $ sqlcmd = new - object system. data. sqlclient. sqlcommand $ sqlcmd. commandtext = $ sqlquery $ sqlcmd. co…”
T1569.002Service Execution
36%
“##7 - a2d0 - 4ddc - aa0c - 16c17236d962 : hacktool – bloodhound / sharphound execution 611eab06 - a145 - 4dfa - a295 - 3ccc5c20f59a : mimikatz dc sync 7b434893 - c57d - 4f41 - 908d - 6a17bf1ae98f : network connection initiated from process located in potentially suspicious or unc…”
T1036.005Match Legitimate Resource Name or Location
34%
“: / / cwe. mitre. org / data / definitions / 427. html ) we discovered that this vulnerability applies to all software provided by desksoft. execution earthtime. exe the earthtime. exe binary was executed from the downloads folder. the parent process was explorer. exe, suggesting…”
T1018Remote System Discovery
33%
“1, 373 dns a record queries to enumerate internal domain hosts and establishing 145 network connections. these connections primarily targeted port 135 ( microsoft rpc ) and port 389 ( ldap ) for service enumeration, along with ephemeral ports in the range 49666 - 51508. following…”
T1572Protocol Tunneling
32%
“55 ¦ tgtport : 9000 ¦ proc : c : \ windows \ microsoft. net \ framework \ v4. 0. 30319 \ msbuild. exe systembc shortly after the command - and - control ( c2 ) channel was established via the sectoprat malware, a new file named wakewordengine. dll ( also observed later in the int…”
T1587.001Malware
32%
“winscp to an ftp server hosted by a cloud provider in clear text. - the discovery of grixba ( a reconnaissance tool linked to play ransomware ), a previous netscan output containing data from a company reportedly compromised by dragonforce ransomware, and the use of the betruger …”
T1136Create Account
31%
“##t _ dbg. lnk and placed it in the c : \ users \ < redacted > \ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup \ directory. through the creation of this startup entry, the threat actor successfully established a persistence mechanism with chromealt _ d…”
T1087.002Domain Account
30%
“1, 373 dns a record queries to enumerate internal domain hosts and establishing 145 network connections. these connections primarily targeted port 135 ( microsoft rpc ) and port 389 ( ldap ) for service enumeration, along with ephemeral ports in the range 49666 - 51508. following…”

Summary

Key Takeaways Private Threat Briefs: 20+ private DFIR reports annually. Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Timeline Diamond Model Indicators Detections MITRE ATT&CK Case Summary The intrusion began in […]

The post Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs appeared first on The DFIR Report.