#Rundll32 exe 99 windows#
More specifically, we observed the threat actors copy/pasting the exact commands such as creating local admin users that contained the same passwords we saw in the leaked instructions.Ĭontinuing with the discovery phase, the threat actors executed AdFind via a batch script before further enumerating using native Windows tools and port scanning via the Cobalt Strike beacon. Additionally, threat actors were seen following the instructions of the leaked documents step by step. It is likely that the threat actors in this intrusion meant to use this aggressor script via their Cobalt Strike console, but instead typed or pasted “av_query” into their windows command prompt session. In these materials, we found a file called “AVquery.cna” that refers to a Cobalt Strike aggressor script for identifying AV on the target systems. We demonstrated some of the documents on one of our recent tweet threads, more info about the Conti leak here. On August 5th, a threat actor that goes with the name “m1Geelka”, leaked multiple documents that contained instructions, tools and, “training” materials to be used by affiliates of Conti ransomware. This left us confused, we were not aware of the reason and/or the purpose of this command. During interactive discovery tasks via the Cobalt Strike beacon, the threat actors attempted an unusual command that had us scratching our heads for awhile, “av_query”.
#Rundll32 exe 99 download#
We saw the BazarLoader process download and execute the first Cobalt Strike beacon twenty minutes later using rundll32.Īs the operators tried to enumerate the network, they miss-typed a lot of their commands.
Shortly after the initial BazarLoader execution, we observed the first discovery commands using the standard built in Microsoft utilities (net view, net group, nltest). In this case, we did not see the exact initial access vector but based on other reports at the time we assess with medium to high confidence a malicious email campaign delivering macro enabled Word documents was the delivery vector. In one of our latest reports, we saw BazarLoader result in the deployment of Conti ransomware. Historically, BazarLoader was used to deploy Ryuk, as we reported on many occasions. Their preferred method of operation was through GUI applications such as RDP and AnyDesk. The threat actor’s main priority was to map the domain network, while looking for interesting data to exfiltrate. In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days.
0 kommentar(er)
