Pulse Detail — Threat Intelligence

PULSE NAME

Malicious ISO File Leads to Domain Wide Ransomware

WHITE Domain AlienVault 2023-04-03 Modified: 2023-05-03

IOCs

HIGH VOLUME

The blog describes an incident that took place in late September of 2022. The threat actors used IcedID, delivering the payload using an ISO image on this occasion. The threat actor used Cobalt Strike, AdFind to gather AD information, exploited the Zero Logon vulnerability (CVE-2020-1472), and deployed Quantum ransomware using PSExec.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566.001 T1047 T1059.003 T1204.002 T1086 T1035 T1053.005 T1068 T1134 T1218.010 T1218.011 T1003.006 T1003.001 T1482 T1082 T1018 T1124 T1135 T1087.002 T1083 T1570 T1567.002 T1562.001 T1486 T1553.005 T1033

MALWARE FAMILIES

Quantum IcedID Cobalt Strike

Indicators of Compromise (23 / 72 total)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	0d51c60c67c62836ba0f7948113b3737	—	2023-04-03
FileHash-MD5	131d277cfbc9f4b2d667150d84ad503d	—	2023-04-03
FileHash-MD5	1af7a0e058ce1b63b138a1425a835561	—	2023-04-03
FileHash-MD5	1b1497c2758ff5a8ade2df336a7a6c2d	—	2023-04-03
FileHash-MD5	397020072f5787dbbc0c344f98623bbd	—	2023-04-03
FileHash-MD5	515047b6ce410001696812bc85e197d1	—	2023-04-03
FileHash-MD5	601d613bff412d245e3edf46dc499d83	—	2023-04-03
FileHash-MD5	72a589da586844d7f0818ce684948eea	—	2023-04-03
FileHash-MD5	7ac356035fce31e9e14c3a3d371ddf41	—	2023-04-03
FileHash-MD5	92edbbeff775928cfc6e3c8efefe4ecc	—	2023-04-03
FileHash-MD5	955d0cf317efe48bf0394330fcd82ebb	—	2023-04-03
FileHash-MD5	9bd6b1f24b9589a3fbc1d54b6e6184b8	—	2023-04-03
FileHash-MD5	a0e9f5d64349fb13191bc781f81f42e1	—	2023-04-03
FileHash-MD5	adc50d0c1e7bf37288a612a0f278e028	—	2023-04-03
FileHash-MD5	ae4edc6faf64d08308082ad26be60767	—	2023-04-03
FileHash-MD5	b31de50a57e8cb73c9efda8b97ffa261	—	2023-04-03
FileHash-MD5	ce1b0e77a31da8dc68f77a977b04f3e4	—	2023-04-03
FileHash-MD5	dbb08886c60f3c44b377d09bd9d8b6d3	—	2023-04-03
FileHash-MD5	df5ce1159ef2e257df92e1825d786d87	MD5 of a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c	2023-04-03
FileHash-MD5	e77f23aac8db0d23196b6bef64fe04fc	—	2023-04-03
FileHash-MD5	ec74a5c51106f0419184d0dd08fb05bc	—	2023-04-03
FileHash-MD5	f102a95e749d1ee63c71df902856ae51	—	2023-04-03
FileHash-MD5	f176ba63b4d68e576b5ba345bec2c7b7	—	2023-04-03

References (1)

↗ https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/