A particular due to our Skilled Companies’ IR workforce, ShadowServer, for historic context on C2 domains, and Thomas Roccia/Leandro Velasco for malware evaluation help.

Govt Abstract

Following a current Incident Response, McAfee Enterprise‘s Superior Risk Analysis (ATR) workforce labored with its Skilled Companies IR workforce to help a case that originally began as a malware incident however in the end turned out to be a long-term cyber-attack.

From a cyber-intelligence perspective, one of many greatest challenges is having data on the techniques, methods, and procedures (TTPs) an adversary is utilizing after which preserving them updated. Inside ATR we usually monitor many adversaries for years and gather and retailer information, starting from indicators of compromise (IOCs) to the TTPs.

On this report, ATR supplies a deep perception into this long-term marketing campaign the place we are going to map out our findings in opposition to the Enterprise MITRE ATT&CK mannequin. There will likely be elements which can be censored since we respect the confidentiality of the sufferer. We will even zoom in and have a look at how the interpretation to the MITRE Methods, historic context, and proof artifacts like PlugX and Winnti malware led to a hyperlink with one other marketing campaign, which we extremely belief to be executed by the identical adversary.

IOCs that could possibly be shared are on the finish of this doc.

McAfee clients are shielded from the malware/instruments described on this weblog. MVISION Insights clients can have the total particulars, IOCs and TTPs shared through their dashboard. MVISION Endpoint, EDR and UCE platforms present signature and behavior-based prevention and detection functionality for lots of the methods used  on this assault. A extra detailed weblog with particular suggestions on utilizing the McAfee portfolio and built-in accomplice options to defend in opposition to this assault may be discovered right here.

Technical Evaluation

Preliminary An infection Vectors [TA0001]

Forensic investigations recognized that the actor established preliminary entry by compromising the sufferer’s internet server [T1190]. On the webserver, software program was put in to take care of the presence and storage of instruments [T1105] that may be used to assemble details about the sufferer’s community [T1083] and lateral motion/execution of recordsdata [T1570] [T1569.002]. Examples of the instruments found are PSexec, Procdump, and Mimikatz.

Privilege Escalation and Persistence [TA0004, TA0003]

The adversary has been noticed utilizing a number of privilege escalation and persistence methods throughout the interval of investigation and presence within the community. We are going to spotlight a couple of in every class.

In addition to using Mimikatz to dump credentials, the adversaries used two instruments for privilege escalations [T1068]. One of many instruments was “RottenPotato”. That is an open-source instrument that’s used to get a deal with to a privileged token, for instance, “NT AUTHORITYSYSTEM”, to have the ability to execute duties with System rights.

Instance of RottenPotato on elevating these rights:

Determine 1 RottenPotato

The second instrument found, “BadPotato”, is one other open-source instrument that can be utilized to raise person rights in direction of System rights.

Determine 2 BadPotato

The BadPotato code may be discovered on GitHub the place it’s provided as a Visible Studio undertaking. We inspected the adversary’s compiled model utilizing DotPeek and hunted for artifacts within the code. Inspecting the File (COFF) header, we noticed the file’s compilation timestamp:

TimeDateStamp: 05/12/2020 08:23:47  – Date and time the picture was created

PlugX

One other main and attribute privilege escalation method the adversary used on this long-term marketing campaign was the malware PlugX as a backdoor. PlugX makes use of the method “DLL Sideloading” [T1574.002]. PlugX was noticed as ordinary the place a single (RAR) executable contained the three elements:

• Legitimate executable.
• Related DLL with the hook in direction of the payload.
• Payload file with the config to speak with Command & Management Server (C2).

The adversary used both the standalone model or distributed three recordsdata on completely different property within the community to realize distant management of these property. The samples found and analyzed had been speaking in direction of two domains. Each domains had been registered throughout the time of the marketing campaign.

One of many PlugX samples consisted of the next three elements:

Filename	Hashes
HPCustPartic.exe	SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll	SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin	SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775

The .exe file is a sound and signed executable and, on this case, an executable from HP (HP Buyer participation). We additionally noticed different legitimate executables getting used, starting from AV distributors to video software program. When the executable is run, the DLL subsequent to it’s loaded. The DLL is legitimate however comprises a small hook in direction of the payload which, in our case, is the .bin file. The DLL masses the PlugX config and injects it right into a course of.

We executed the samples in a check setup and dumped the reminiscence of the machine to conduct reminiscence evaluation with volatility. After the fundamental forensically sound steps, we ran the malfind plugin to detect potential injected code in a course of. From the redacted output of the plugin, we noticed the next values for the method with potential injected code:

Course of: svchost.exe Pid: 860 Tackle: 0xb50000

Course of: explorer.exe Pid: 2752 Tackle: 0x56a000

Course of: svchost.exe Pid: 1176 Tackle: 0x80000

Course of: svchost.exe Pid: 1176 Tackle: 0x190000

Course of: rundll32.exe Pid: 3784 Tackle: 0xd0000

Course of: rundll32.exe Pid: 3784 Tackle: 0x220000

One commentary is the point out of the SVCHOST course of with a ProcessID worth of 1176 that’s talked about twice however with completely different addresses. That is much like the RUNDLL32.exe that’s talked about twice with PID 3785 and completely different addresses. One approach to determine what malware could have been used is to dump these processes with the related PID utilizing the procdump module, add them to a web based evaluation service and look forward to the outcomes. Since this can be a very delicate case, we took a unique strategy. Utilizing one of the best of each worlds (volatility and Yara) we used a ruleset that consists of malware patterns noticed in reminiscence over time. Working this ruleset over the info within the reminiscence dump revealed the next (redacted for the sake of readability) output:

Determine 3 Output Yarascan reminiscence dump

The output of the Yara rule scan (and there was far more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Additionally, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.

Investigating the dumps after dynamic evaluation, we noticed two domains used for C2 site visitors:

• sery.brushupdata.com
• dnssery.brushupdata.com

Particularly, we noticed the next hardcoded worth that could be one other payload being downloaded:

sery.brushupdata.com/CE1BC21B4340FEC2B8663B69

The PlugX households we noticed used DNS [T1071.001] [T1071.004] because the transport channel for C2 site visitors, particularly TXT queries. Investigating the site visitors from our samples, we noticed the check-in-signature (“20 2A 2F 2A 0D”) that’s typical for PlugX community site visitors:

00000000:            47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45

00000010:            31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54

00000020:            54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20

00000030:            2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43

00000040:            57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55

00000050:            71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D

Throughout our evaluation of the completely different PlugX samples found, the domains as talked about above stayed the identical, although the payload values had been completely different. For instance:

• hxxp://sery.brushupdata.com/B4BBDCC029E119719F065622
• hxxp://sery.brushupdata.com/07FDB1B97D22EE6AF2482B1B
• hxxp://sery.brushupdata.com/273CDC0B9C6218BC1187556D

Different PlugX samples we noticed injected themselves into Home windows Media Participant and began a reference to the next two domains:

• heart.asmlbigip.com
• sec.asmlbigip.com

Hey Winnti

One other mechanism noticed was to begin a program as a service [T1543.003] on the Working System with the acquired System rights by utilizing the *Potato instruments. The file the adversary was utilizing appeared to be a backdoor that was utilizing the DLL file format (2458562ca2f6fabddae8385cb817c172).

The DLL is used to create a malicious service and its identify is “service.dll”. The identify of the created service, “SysmainUpdate”, is usurping the identify of the professional service “SysMain” which is expounded to the professional DLL sysmain.dll and in addition to the Superfetch service. The dll is run utilizing the command “rundll32.exe SuperFrtch.dll, #1”. The export operate has the identify “WwanSvcMain”.

The mannequin makes use of the persistence method using svchost.exe with service.dll to put in a rogue service. It seems that the dll employs a number of mechanisms to fingerprint the focused system and keep away from evaluation within the sandbox, making evaluation tougher. The DLL embeds a number of obfuscated strings decoded when working. As soon as the fingerprinting has been accomplished, the malware will set up the malicious service utilizing the API RegisterServiceHandlerA then SetServiceStatus, and eventually CreateEventA. An outline of the method may be discovered right here.

The malware additionally decrypts and injects the payload in reminiscence. The next screenshot exhibits the decryption routine.

Determine 4 Decryption routine

Once we analyzed this distinctive routine, we found similarities and the point out of it in a publication that may be learn right here. The malware described within the article is attributed to the Winnti malware household. The working technique and the code used within the DLL described within the article are similar to our evaluation and observations.

The method dump additionally revealed additional indicators. Firstly, it revealed artifacts associated to the DLL analyzed, “C:ProgramDataMicrosoftWindowsSuperfRtchSuperfRtch.dat”. We imagine that this dat file could be the loaded payload.

Secondly, whereas investigating the method dump, we noticed actions from the backdoor which can be a part of the info exfiltration makes an attempt which we are going to describe in additional element on this evaluation report.

A redacted snippet of the code would appear to be this:

Creating archive ***.rar

Including   [data from location]

  0%

  OK

One other indicator of discovering Winnti malware was the next execution path we found within the command line dump of the reminiscence:

cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat

What we noticed right here was using a sound executable, the AES 256 decryption key of the payload (.dat file). On this case, the payload file was named utilizing an abbreviation of the sufferer firm’s identify. Sadly, the adversary had eliminated the payload file from the system. File carving didn’t work for the reason that disk/unallocated house was overwritten. Nevertheless, reconstructing traces from reminiscence revealed that we had been coping with the Winnti 4.0 malware. The malware was injected right into a SVCHOST course of the place a driver location pointed to the config file. We noticed within the course of dump the exfiltration of knowledge on the system, akin to OS, Processor (structure), Area, Username, and many others.

One other clue that helped us was using DNS tunneling by Winnti which we found traces of in reminiscence. The hardcoded 208.67.222.222 resolves to a professional OpenDNS DNS server. The IP is pushed into the listing generated by the malware at runtime. Firstly of the malware, it populates the listing with the system’s DNS, and the OpenDNS server is simply used as a backup to make sure that the C2 area is resolved.

One other indicator within the course of dump was the setup of the C2 connection together with the Person-Agent that has been noticed being utilized by Winnti 4.0 malware:

Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Different Persistence Actions

WMI exercise [T1546.003] was additionally noticed to execute instructions on the methods.

From a persistence perspective, scheduled duties [T1053.005] and using legitimate accounts [T1078] acquired by using Mimikatz, or creating LSASS dumps, had been noticed being employed throughout the size of the marketing campaign.

Lateral Motion

From a lateral motion perspective, the adversary used the obtained credentials to hop from asset to asset. In a single specific case, we noticed a well-recognized filename: “PsExec.exe”. This SysInternals instrument is commonly noticed being utilized in lateral motion by adversaries, nonetheless, it can be utilized by the sysadmins of the community. In our case, the PsExec executable had a file dimension of 9.6 MB the place the unique PsExec (relying on 32- or 64-bit model) had a most file dimension of 1.3 MB. An preliminary static inspection of the file resulted in a blob of code that was current within the executable which had a really excessive entropy rating (7.99). When working the file from the command line, the next output was noticed:

Determine 5 PsExec output

The error notification and the ‘Impacket’ key phrase tipped us off and, after digging round, we discovered extra. The pretend PsExec is an open-source Python script that could be a PsExec various with shell/backdoor functionality. It makes use of a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/grasp/examples/psexec.pyi. The file is giant because it incorporates a low-level protocol interplay from Impacket. The Python library mixed with the script code is compiled with py2exe. The file was compiled throughout the time of the newest assault actions and signed with an expired certificates.

Information Exfiltration

From what we noticed, the adversary had a long-term intention to remain current within the sufferer’s community. With excessive confidence, we imagine that the adversary was taken with stealing proprietary intelligence that could possibly be used for navy or mental property/manufacturing functions.

The adversary used a number of methods to exfiltrate the info. In some instances, batch (.bat) scripts had been created to assemble data from sure community shares/folders and use the ‘rar’ instrument to compress them to a sure dimension [T1020] [T1030]. Instance of content material in a batch script:

C:Windowswebrar.exe a -[redacted] -r -v50000 [Target-directory]

On different events, handbook variants of the above command had been found after utilizing the customized backdoor as described earlier.

When the info was gathered on a neighborhood system utilizing the backdoor, the recordsdata had been exfiltrated over the backdoor and the rar recordsdata had been deleted [T1070.004]. The place exterior dealing with property had been used, like an internet server, the info was saved in a location within the Web Info Companies (IIS) internet server and exfiltrated over HTTP utilizing GET requests in direction of the precise file paths [T1041] [T1567] [T1071].

An instance of the [redacted] internet site visitors within the IIS logfiles:

Date /Time		Request	TCP Src port	Supply IP	Person-Agent
Redacted	GET /****/[redacted].rar		80	180.50.*.*	MINIXL
redacted	GET /****/[redacted].rar		80	209.58.*.*	MINIXL

The supply IP addresses found belonged to 2 completely different ISP/VPN suppliers based mostly in Hong-Kong.

The Person-Agent worth is an attention-grabbing one, “MINIXL”. Once we researched that worth, we found a weblog from Dell SecureWorks from 2015 that mentions the identical Person-Agent, but in addition a whole lot of the artifacts talked about from the weblog overlapped with the observations and TTPs of Operation Harvest [link].

What we may retrieve from open-source databases is that using this specific Person-Agent could be very restricted and appears to originate from the APAC area.

Who did it?

That appears to be the one-million-dollar query to be requested. Inside McAfee, attribution shouldn’t be our essential focus, defending our clients is our precedence. What we do care about is that if we study these methods throughout an investigation, can we map them out and help our IR workforce on the bottom, or a buyer’s IR workforce, with the data that may assist decide which section of the assault the proof is pointing to and based mostly on historic information and intelligence, help in blocking the following section and uncover extra proof?

We began by mapping out all MITRE ATT&CK Enterprise methods and sub-techniques, added the instruments used, and did a comparability in opposition to historic method information from the trade. We ended up with 4 teams that shared methods and sub-techniques. The Winnti group was added by us since we found the distinctive encryption operate within the customized backdoor and indicators of using the Winnti malware.

Determine 6 ATT&CK method comparability

The diagram reflecting our end result insinuated that APT27 and APT41 are the most certainly candidates that overlap with the (sub-)methods we noticed.

Since all these teams are in a sure time zone, we extracted all timestamps from the forensic investigation almost about:

• Registration of area
• Compile timestamps of malware (contemplating deception)
• Timestamps of command-line exercise
• Timestamps of knowledge exfiltration
• Timestamps of malware interplay akin to creation, deletion, and many others.

Once we transformed all these timestamps from UTC to the aforementioned teams’ time zones, we ended up with the beneath scheme on exercise:

Determine 7 Adversary’s time of operation

On this marketing campaign, we noticed how the adversary largely appears to work from Monday to Thursday and usually throughout workplace hours, albeit with the occasional exception.

Correlating ATT&CK (sub-)methods, timestamps, and instruments like PlugX and Mimikatz usually are not the one proof indicators that may assist to determine a potential adversary. Command-line syntax, particular code similarity, actor functionality over time versus different teams, and distinctive identifiers are on the high of the ‘pyramid of ache’ in risk intelligence. The underside a part of the pyramid is about hashes, URLs, and domains, areas which can be very risky and simple to vary by an adversary.

Determine 8 Pyramid of Ache

Past investigating these artifacts, we additionally took potential geopolitical pursuits and potential deception into consideration when constructing our speculation. Once we mapped out all of those, we believed that one of many two beforehand talked about teams had been answerable for the marketing campaign we investigated.

Our focus was not about attribution although, however extra round the place the circulation of the assault is, matches in opposition to earlier assault flows from teams, and what methods/instruments they’re utilizing to dam subsequent steps, or the place to find them. The extra particulars we are able to collect on the high of ‘the pyramid of ache’, the higher we are able to decide the possible adversary and its TTP’s.

That’s all People!

Effectively, not likely. Whereas correlating the noticed (sub-)methods, the malware households and code, we found one other focused assault in opposition to an identical goal in the identical nation with the foremost motivation of gathering intelligence. Within the following diagram we carried out a high-level comparability of the instruments being utilized by the adversary:

Determine 9 Instruments comparability

Though among the instruments are distinctive to every marketing campaign, if considered over time with after they had been used, it is smart. It demonstrates the event of the actor and use of newer instruments to conduct lateral motion and to acquire the required stage of person rights on methods.

Total, we noticed the identical modus operandi. As soon as an preliminary foothold was established, the adversary would deploy PlugX initially to create a couple of backdoors within the sufferer’s community in case they had been found early on. After that, utilizing Mimikatz and dumping lsass, they had been trying to get legitimate accounts. As soon as legitimate accounts had been acquired, a number of instruments together with a few of their very own instruments had been used to realize details about the sufferer’s community. From there, a number of shares/servers had been accessed, and data gathered. That data was exfiltrated as rar recordsdata and positioned on an internet-facing server to cover within the ‘regular’ site visitors. We signify that within the following graphic:

Determine 10 Assault circulation

Within the 2019/2020 case we additionally noticed using a malware pattern that we’d classify as a part of the Winnti malware household. We found a few recordsdata that had been executed by the next command:

Begin Ins64.exe E370AA8DA0 Jumper64.dat

The Winnti loader ‘Ins64.exe’ makes use of the worth ‘E370AA8DA0’ to decrypt the payload from the .dat file utilizing the AES-256-CTR decryption algorithm and begins to execute.

After executing this command and analyzing the reminiscence, we noticed a course of injection in one of many svchost processes whereby one specific file was loaded from the next path:

C:programdatamicrosoftwindowscachesieupdate.dll

Determine 11 Reminiscence seize

The malware began to open up each UDP and TCP ports to attach with a C2 server.

UDP Port 20502

TCP Port  20501

Determine 12 Community connections to C2

Capturing the site visitors from the malware we noticed the next for instance:

Determine 13 Winnti HTTP site visitors to C2

The packet information was personalized and despatched by a POST request with a number of headers in direction of the C2. Within the above screenshot the numbers after “POST /” had been randomly generated.

The Person-Agent is an efficient community indicator to determine the Winnti malware since it’s utilized in a number of variants:

Mozilla/5.0 (Home windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Certainly, the identical Person Agent worth was found within the Winnti pattern in Operation Harvest and appears to be typical for this malware household.

The cookie worth consists of 4 Dword hex values that comprise details about the personalized packet dimension utilizing a XOR worth.

We realized extra in regards to the packet construction of Winnti from this hyperlink.

Making use of what we realized in regards to the handshake, we noticed the next in our site visitors pattern:

Dword worth 0 = 52 54 00 36

Dword worth 1 = 3e ff 06 b2

Dword worth 2 = 99 6d 78 fe

Dword worth 3 = 08 00 45 00

Dword worth 4 = 00 34 00 47

Preliminary handshake order:

Primarily based on our cross-correlation with samples and different OSINT assets, we imagine with a excessive confidence that this was a Winnti 4.0 pattern that connects with a confirmed Winnti C2 server.

The recognized C2 server was 185.161.211.97 TCP/80.

Timeline of Occasions

When analyzing the timestamps from this investigation, like we did for operation Harvest, we got here to the beneath overview:

Determine 14 Beijing working hours case 2019/2020

Once more, we noticed that the adversary was working Monday to Friday throughout workplace hours within the Beijing time-zone.

Conclusion

Operation Harvest has been a long-term operation whereby an adversary maintained entry for a number of years to exfiltrate information. The exfiltrated information would have both been a part of an mental property theft for financial functions and/or would have supplied insights that may be helpful in case of navy interventions. The adversaries made use of methods fairly often noticed in this sort of assault but in addition used distinctive new backdoors or variants of present malware households. Combining all forensic artifacts and cross-correlation with historic and geopolitical information, we have now excessive confidence that this operation was executed by an skilled APT actor.

After mapping out all information, TTP’s and many others., we found a really sturdy overlap with a marketing campaign noticed in 2019/2020. A variety of the (in-depth) technical indicators and methods match. Additionally placing it into perspective, and over time, it demonstrates the adversary is adapting abilities and evolving the instruments and methods getting used.

On a separate notice, we noticed using the Winnti malware. We intentionally point out the time period ‘malware’ as an alternative of group. The Winnti malware is thought for use by a number of actors. Inside each nation-state cyber-offensive exercise, there will likely be a division/unit answerable for the creation of the instruments/malware, and many others. We strongly imagine that’s precisely what we observe right here as effectively. PlugX, Winnti and another customized instruments all level to a bunch that had entry to the identical instruments. Whether or not we put identify ‘X’ or ‘Y’ on the adversary, we strongly imagine that we’re coping with a Chinese language actor whose long-term aims are persistence of their victims’ networks and the acquisition of the intelligence wanted to make political/strategic or manufacturing choices.

 

MITRE ATT&CK Methods

Approach ID	Approach Title	Context Marketing campaign
T1190	Exploit Public-facing software	Adversary exploited a web-facing server with software
T1105	Ingress Software switch	Instruments had been transferred to a compromised web-facing server
T1083	File & Listing Discovery	Adversary browsed a number of places to seek for the info they had been after.
T1570	Lateral Software Switch	Adversary transferred instruments/backdoors to take care of persistence
T1569.002	System Companies: Service Execution	Adversary put in customized backdoor as a service
T1068	The exploitation of Privilege Escalation	Adversary used Rotten/Unhealthy Potato to raise person rights by abusing API calls within the Working System.
T1574.002	Hijack Execution Move: DLL Aspect-Loading	Adversary used PlugX malware that’s well-known for DLL-Aspect-Loading utilizing a sound executable, a DLL with the hook in direction of a payload file.
T1543.003	Create or Modify System Course of: Home windows Service	Adversary launched backdoor and a few instruments as a Home windows Service together with including of registry keys
T1546.003	Occasion-Triggered Execution: WMI Occasion Subscription	WMI was used for working instructions on distant methods
T1053.005	Scheduled job	Adversary ran scheduled duties for persistence of sure malware samples
T1078	Legitimate accounts	Utilizing Mimikatz and dumping of lsass, the adversary gained credentials within the community
T1020	Automated exfiltration	The PlugX malware exfiltrated information in direction of a C2 and acquired instructions to assemble extra details about the sufferer’s compromised host.
T1030	Information switch dimension limits	Adversary restricted the dimensions of rar recordsdata for exfiltration
T1070.004	Indicator removing on host	The place at first of the marketing campaign the adversary was sloppy, over the last months of exercise they turned extra cautious and began to take away proof
T1041	Exfiltration over C2 channel	Adversary used a number of C2 domains to work together with compromised hosts.
T1567	Exfiltration over Net Service	Gathered data was saved as ‘rar’ recordsdata on the internet-facing server, whereafter they had been downloaded by a particular ip vary.
T1071.004	Utility layer protocol: DNS	Utilizing DNS tunneling for the C2 site visitors of the PlugX malware

 

Indicators of Compromise (IOCs)

Notice: the indications shared are for use in a historic and timeline-based context, starting from 2016 to March 2021.

Operation Harvest:

PlugX C2:

sery(.)brushupdata(.)com

Dnssery(.)brushupdata(.)com

Heart(.)asmlbigip(.)com

 

Instruments:

Mimikatz

PsExec

RottenPotato

BadPotato

 

Operation 2019/2020

PlugX malware:

f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498

26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01

e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf

3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

 

Winnti:

800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4

c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104

df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f

 

Winnti C2: 185.161.211.97

 

Instruments:

PSW64                  6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6

NTDSDumpEx  6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96

NBTSCAN             c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

NetSess                ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d

Smbexec              e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee

Wmiexec              14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8

Mimikatz

RAR command-line

TCPdump