Pulse Detail — Threat Intelligence

PULSE NAME

Malicious ISO File Leads to Domain Wide Ransomware

WHITE Domain AlienVault 2023-04-03 Modified: 2023-05-03

IOCs

HIGH VOLUME

The blog describes an incident that took place in late September of 2022. The threat actors used IcedID, delivering the payload using an ISO image on this occasion. The threat actor used Cobalt Strike, AdFind to gather AD information, exploited the Zero Logon vulnerability (CVE-2020-1472), and deployed Quantum ransomware using PSExec.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566.001 T1047 T1059.003 T1204.002 T1086 T1035 T1053.005 T1068 T1134 T1218.010 T1218.011 T1003.006 T1003.001 T1482 T1082 T1018 T1124 T1135 T1087.002 T1083 T1570 T1567.002 T1562.001 T1486 T1553.005 T1033

MALWARE FAMILIES

Quantum IcedID Cobalt Strike

Indicators of Compromise (72)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2020-1472	—	2023-04-03
FileHash-MD5	0d51c60c67c62836ba0f7948113b3737	—	2023-04-03
FileHash-MD5	131d277cfbc9f4b2d667150d84ad503d	—	2023-04-03
FileHash-MD5	1af7a0e058ce1b63b138a1425a835561	—	2023-04-03
FileHash-MD5	1b1497c2758ff5a8ade2df336a7a6c2d	—	2023-04-03
FileHash-MD5	397020072f5787dbbc0c344f98623bbd	—	2023-04-03
FileHash-MD5	515047b6ce410001696812bc85e197d1	—	2023-04-03
FileHash-MD5	601d613bff412d245e3edf46dc499d83	—	2023-04-03
FileHash-MD5	72a589da586844d7f0818ce684948eea	—	2023-04-03
FileHash-MD5	7ac356035fce31e9e14c3a3d371ddf41	—	2023-04-03
FileHash-MD5	92edbbeff775928cfc6e3c8efefe4ecc	—	2023-04-03
FileHash-MD5	955d0cf317efe48bf0394330fcd82ebb	—	2023-04-03
FileHash-MD5	9bd6b1f24b9589a3fbc1d54b6e6184b8	—	2023-04-03
FileHash-MD5	a0e9f5d64349fb13191bc781f81f42e1	—	2023-04-03
FileHash-MD5	adc50d0c1e7bf37288a612a0f278e028	—	2023-04-03
FileHash-MD5	ae4edc6faf64d08308082ad26be60767	—	2023-04-03
FileHash-MD5	b31de50a57e8cb73c9efda8b97ffa261	—	2023-04-03
FileHash-MD5	ce1b0e77a31da8dc68f77a977b04f3e4	—	2023-04-03
FileHash-MD5	dbb08886c60f3c44b377d09bd9d8b6d3	—	2023-04-03
FileHash-MD5	df5ce1159ef2e257df92e1825d786d87	MD5 of a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c	2023-04-03
FileHash-MD5	e77f23aac8db0d23196b6bef64fe04fc	—	2023-04-03
FileHash-MD5	ec74a5c51106f0419184d0dd08fb05bc	—	2023-04-03
FileHash-MD5	f102a95e749d1ee63c71df902856ae51	—	2023-04-03
FileHash-MD5	f176ba63b4d68e576b5ba345bec2c7b7	—	2023-04-03
FileHash-SHA1	26b11c95a6a324dbb0ab32428361b0531234ecee	—	2023-04-03
FileHash-SHA1	5facd0aa9a29e0768ab9f432c79eac173af69711	—	2023-04-03
FileHash-SHA1	61f838d9b0998ab23877e86f6e8ba3551799e07c	—	2023-04-03
FileHash-SHA1	6254e8cca47d87f29e85627a08ba88b79915a459	—	2023-04-03
FileHash-SHA1	66b8da857c6dc45dea3a9fb17a503b3c2d203245	—	2023-04-03
FileHash-SHA1	7262b7df4d90409fb141856d9b55792872deda20	—	2023-04-03
FileHash-SHA1	90bf77e194970dd74d1b49faf58ae395ce49bb34	—	2023-04-03
FileHash-SHA1	970e793c86266b20d280c04e0f41ec7ae9c2093c	—	2023-04-03
FileHash-SHA1	a39b9119003c63583e2a0f11f19f3e6050399176	—	2023-04-03
FileHash-SHA1	a597205ed55b6e6413a17edb62cbb29bda735676	—	2023-04-03
FileHash-SHA1	a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c	—	2023-04-03
FileHash-SHA1	a7e3f617644599ec695da84d140a7b69c392a421	—	2023-04-03
FileHash-SHA1	d6cc874f84797813c225318b877eace04ca5f5a1	—	2023-04-03
FileHash-SHA1	d84d40038311e188e25c78389b51b900de9c69bd	—	2023-04-03
FileHash-SHA1	f05ff93ee4d2f31bc70c0484a559d562203b7700	—	2023-04-03
FileHash-SHA1	f8473c6c8b298a3d72c8ca890667eddab62d2ba8	—	2023-04-03
FileHash-SHA1	fda81b5951bb02ef0236088c310d9bc4fa70e1e6	—	2023-04-03
FileHash-SHA1	fffa0ce086791c41360971e3ce6a0d1af1701616	—	2023-04-03
FileHash-SHA256	03a9d6afc99e70333723d921bd1265ac948cdabb8b15689b5ceb1c02365a9572	—	2023-04-03
FileHash-SHA256	163800b0fbf1b1b7bbc7f719df421ed717111c7c9ddea9c9b41f898ee22dd51a	—	2023-04-03
FileHash-SHA256	1ee563caf943d3a7ed315dda9c37f0c9c445eec6dfb78ae196d2989626a0dfec	—	2023-04-03
FileHash-SHA256	2a2c83a7c8cd33e45dc14b8d955e00161580d6d2736f4e75a235aa3eb2f21528	—	2023-04-03
FileHash-SHA256	47ed0d1c7d8abc159d1eb2bb9fbe037f38b0846217cc11132652734f93ad5678	—	2023-04-03
FileHash-SHA256	4f52c7448bdcb4caa2eff701b0f3b60b406aea278ecd5a3b23cac808a65418e7	—	2023-04-03
FileHash-SHA256	6511d6e84343c2d3a4cd36853170509e2751e27c86f67c6a031dc88e7e495e48	—	2023-04-03
FileHash-SHA256	68f971a1b391f809058e83058a2037d29c28a8a21fd618b0d952466c632ff1be	—	2023-04-03
FileHash-SHA256	842737b5c36f624c9420a005239b04876990a2c4011db87fe67504fa09281031	SHA256 of a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c	2023-04-03
FileHash-SHA256	8f7cc7cc14a12753d41678981b929546d12218d457a9d22951808cb5f19e549c	—	2023-04-03
FileHash-SHA256	999cba918c297bf0b0d7d4aa9003e6338cc300a9270cc758d1d108c26603417d	—	2023-04-03
FileHash-SHA256	a378b8e9173f4a5469e7b5105be40723af29cbd6ee00d3b13ff437dae4514dff	—	2023-04-03
FileHash-SHA256	c2ebcc389304539bc13c3d2023cf88f9ea0bac7210fefa03f8333eaab0bbb76d	—	2023-04-03
FileHash-SHA256	e9da08831e0d4395f697e4f18c87be941bf52c79d84da1cc88186bdea1ebf4f4	—	2023-04-03
FileHash-SHA256	f27d924911a7087928012764358bad9240b2ba8aeeca5e0d717abdbb82344981	—	2023-04-03
FileHash-SHA256	fafc84466c1ce361bb6ce219bde2b64ca07a6a6feda23f444749ba06c44b0580	—	2023-04-03
FileHash-SHA256	fc4da07183de876a2b8ed1b35ec1e2657400da9d99a313452162399c519dbfc6	—	2023-04-03
domain	alockajilly.com	—	2023-04-03
domain	antiflamez.bar	—	2023-04-03
domain	choifejuce.lol	—	2023-04-03
domain	considerf.info	—	2023-04-03
domain	erinindiaka.quest	—	2023-04-03
domain	fazehotafa.com	—	2023-04-03
domain	guteyutu.com	—	2023-04-03
domain	guteyutur.com	—	2023-04-03
domain	opiransiuera.com	—	2023-04-03
domain	zoomersoidfor.com	—	2023-04-03
hostname	rsat.activedirectory.ds-lds.tools	—	2023-04-03
hostname	www.onlinecloud.cloud	—	2023-04-03
hostname	zeek.ssl.server.name	—	2023-04-03

References (1)

↗ https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/