some hackers were trying to compromise an entire network by deploying ransomware now I know that's a pretty general statement in today's day and age that's common and happening all the time but let me tell you a story and give you some background context I'll be working out of my windows 11 virtual machine and I've got a folder on my desktop called investigation and I want to tell you about a recent case that we got to work part of our security Operation Center at my day job Huntress let me show you the incident report here now this is a case of ransomware so it's pretty clear hey the huntress agent has been tasked to isolate this host take that computer away from other computers on the network it's been quarantined and isolated so the incident wouldn't spread to other devices now of course I redacted a lot here uh the host name organization security products I don't think there were any others to be listed but this is of course a critical severity incident there's the usual boilerplate summary here as to hey really a factory reset and complete wipe of the host is kind of Ideal but of course assisted mediation will clean up all the bad bits that we're aware of so check it out Huntress detected The Following on this host evidence suggests that a user redacted has been compromised Huntress observed the following timeline at a redacted timestamp the user redacted remotely authenticated to the host from a separate IP address redacted local area network IP address think 192168 whatever that includes the connecting host name of course I've redacted as well but we did not have an agent installed on that host and to clarify the security solution is not running on the other host that connected to this host and let me please say this from a place of love but with a security solution in EDR especially Huntress uh there's really no wrong way to use it it's the closest you can get to set and forget the only wrong way to use it is to not install it I'm sure folks are familiar with this hey whether it's not on servers or workstation or whatever but seriously hey get that everywhere that's the gist though a machine that we did not have visibility and Telemetry from rdpd or remote controlled you can see remotely authenticated that Clues me into the remote desktop protocol with an account that I'll let you know some backend detail here that was an admin user the local IP address with the connecting host name where it came from well the host name cluded Us in that was very likely their domain controller so that sounds like Bad News Bears right oh unknown thread actor active on the domain controller already owns the whole infrastructure but we didn't have the visibility cuz it wasn't installed anyway once this thread actor and hacker has authenticated to this machine the thread actor unfortunately deployed ransomware you can see the command line here they're dropping and running this win.exe with a couple arguments given the mode medium ens lhd Su kill okay but take a look at that path here I've of course redacted the username but it's in the videos folder uh just in their user profile not particularly stealthy I guess then again how often do you look into your videos folder whatever of course obviously this generates a signal we get to triage Ransom where we'll trigger our canaries and that'll spin off that critical alert and isolate the host so we try to contain this the very well best that you can here but that is not all that I wanted to chat about for this video because you might have noticed in the same folder for our investigation I've got another directory called tooling and this is pretty cool we are actually able to grab a couple of the files artifacts left over from the thread actor from The Hacker themselves we got to see some of their tools so in this video I would like to take a look let's see what we could dig into for a couple of these simple batch scripts and then the ransomware I'll get back into my text editor Sublime Text and I actually want to open up that folder now we can see everything inside of tooling and we can click into the stuff that looks a little interesting for us first couple being backup.bat clean dobat close apps dobat kill process Etc but let me clue you in on something though because this was a ransomware incident and I could tell you maybe jumping ahead in our story here but this was the Inc ransomware or Inc once we got to do enough investigation analysis and triage we can uncover that but while you're working through that process as either a threat hunter or CTI like cyber threat intelligence analyst you might be doing your homework trying to go find other indicators of compromise other attack techniques things that were used throughout the attack if you're digging into a case like this it would be worthwhile to try and track down other research other writeups other articles other information that folks know of or that they've seen from other cases and in the wild potential activity from Inc ransomware Inc ransomware or anything else so before we dive into taking a look at the thread actor tooling let me show you something cool along the lines of threat intelligence CTI and threat hunting work let me tell you about the sponsor of today's video feedle let me show you the feedle thread intelligence ask AI feature set with ask AI you can instantly pull insights from any article or batch of reports whether it's quick summaries translations or Advanced threat analysis like threat hunting hypotheses and adversary tracking there's a library of built-in actions ready to go or you can custom prompt exactly what you need instead of sifting through massive reports ask AI extracts the Tactical and actionable intelligence for you network traffic EDR Telemetry vulnerabilities you name it take this Intel collected through feedle on a threat actor there's a lot here and you've got no time to read it if you're a thread Hunter ask AI instantly generates a table of attack procedures and threat hunt hypotheses you get only actionable procedures and Technical details or if you're a CTI analyst use ask aai to build a detailed attack flow diagram and visualize the attack as it progressed why not just use chat GPT well because Feedly thread intelligence gives you control over the sources you want to analyze and ensures that every fact is clickable right back to the original report for easy verification on top of that feedle ai's deeper understanding of thread actors tactics techniques and procedures malware family is an indicators of compromise minimizes inaccuracies that can occur in general large language models it's your AI assistant for the world's news in cyber security and threat intelligence you can generate reports tailor outputs build diagrams for timelines flowcharts and more with ask AI check out fedley's ask AI feature and try it for free with my link below in the video description jh. livefeed le- a huge thanks to feedle for sponsoring this video all right now let's finally take a look at some of this thread actor tooling these are the files that were left behind in that videoos one directory with the ransomware executable but there were a lot of these other batch scripts now this is the part of the video where I have to add the usual disclaimer hey malware uh don't do it cyber crime is bad don't be bad be good Etc you know the drill so the first one we got here is backup.bat now this is not backing up anything in fact it's deleting all of the volume Shadow copies that may be saved on your machine if you aren't familiar Windows does this thing where it will actually take a copy and clone of your file system hence a volume Shadow copy these are often times used to revert back to a known good state if anything were to go wrong on your computer but in the case of ransomware it's very common to delete these get rid of them so there's no chance of recovering data and you're forced to pay the ransom vsss admin. exe is of course the built-in natural tool to be able to handle these and they quietly delete all of them WB admin is another executable and built-in that will do similar work we can actually go take a look we should fire up our own terminal to be able to explore and see what some of these commands do I'll full screen this and take a look WB admin it is the Windows backup command line tool just another backup capability that windows offers but they're covering their tracks trying to delete everything so there's no way to recover perhaps that's why it's called backup.bat not making backups but deleting them next we have clean dobat ooh which is actually kind of interesting so there's a lot here but it's using cmd.exe if you aren't familiar Windows does keep track of some of the credentials like cach passwords and things that it uses on your computer these are usually for Windows specific things like Windows accounts or online accounts that they use and you can use slash list to dump all the information about them not what they are quite then but at least the ones it has stored it throws this or redirects it with the greater than symbol Arrow to put it into the variable user profile so C users your username SL random A1 sf. text then they actually look for using F string so basically grep if you're coming from the Linux world looking for the word Target and then using that as their Baseline they'll then put that in F1 DSA very cool I like the original names here look let me turn word wrap on so we could actually see this a little bit better then we have a for Loop that just Loops through it to actually get okay the entry and then delete them uh nice the do Loop here uh the percent sign percent sign G as the iterator variable is now going to take all those entries and then remove them nice if you don't believe me we can go take a look at our terminal uh let me use CMD key and you'll see that is the credential manager here on Windows but /list just lists the ones that it has I can run this on my machine just to see what it looks like using /list it dumps the currently stored credentials uh in which case you know my windows online account so that includes my email redact that then it deletes those files that it used just to be able to GP through them with fine string uh okay uh and then it makes some changes to the Windows registry using the built-in regge command but not Reg ad to add anything or manipulate and modify the registry but just delete things they do use regge ad just a little bit down below but the keys here are especially pertinent because it's trying to remove evidence or any cach information from the terminal Services which you might know or terminal server client that's RDP that's the remote desktop protocol the client on Windows is typically that mstsc.exe executable we can run that mstc exe it's remote desktop it's RDP nothing fancy nothing special there but if you had anything here as if we were cashing saving or remembering any past connections well they're ripping that out of the registry and deleting it same thing with the server line here making sure there's no history to look back on even then a little bit more interesting they do the very same with the default. RDP the file system based artifact that may be left behind as previous evidence of using RDP they do this twice interestingly in the/ documents folder and the/ myy documents with no space which I don't think you usually see but maybe I'm just you know not right then they do something kind of neat they hop over to the automatic destinations folder on Windows and they delete one of the automatic destinations DMS file which if you aren't familiar are windows jump lists a Windows jump list is a system provided menu that appears when the user right clicks a program in the taskbar or on the start menu so the artifacts some of the forensic detail Left Behind are really the things that have been accessed recently just documents files programs that hey it's spun up and started for some of the forensic analysis there I really recommend you take a look at Eric Zimmerman's tools he does have jle CMD I think yeah okay automatic and custom destinations jump list parser very cool quick and easy command line tool as with all the other awesome stuff uh that Eric Zimmerman puts out all of his tools you can find online on his website or on GitHub that is definitely some to have in your Arsenal if you're doing some of the security Operation Center analyst work CTI whatever the case may be hey make sure you can pull down all the stuff that he's got between Amash activities all these things hopefully that's a good resource for you there but let's get back to our threat actor tooling we're moving on to close apps. bat and this is awesome the very first line is actually setting a label in batch so the colon really just says hey this is a part of the script of the document the text the code that you're writing here with a given like name tag so it could actually jump back to it at any point given this label that's often times why uh batch and a lot of shell scripting languages get a bad rap because it's often times spaghetti code and that you just sort of you know jump back and forth if you ever use goto or labels like this this is awesome look at it's just trying to kill absolutely everything here V backup and replication of course uh SQL browser if you have like any micro Micosoft or SQL database structured query language there it's even trying to kill slack Dropbox one drive and then things related to Microsoft Exchange REM is for remark um and I know that's often times one that could be used for comments in batch you could also use two colons uh and there's some idiosyncrasies there REM being for remarks specifically but I'm rambling sorry look at this it's just over and over again task kill trying to beat up nuke and get rid of other software programs that might be running looks like all the comments here but it's very funny because we saw that loop at the very start looks like it'll do this every 30 seconds because there's a timeout to wait sleep for 30 seconds go to the loop actually after it just displays an echo's Loop so actively all the time every 30 seconds trying to kill all those processes that it just doesn't want running that does leave me curious though how does this compare to kill process. C MD oh okay a lot more of the same should we even turn word wrap on at this point I mean I feel like you can see this stopping services in this case SQL writer SQL browser mssql server and their actual service names not strictly a service display name but the name that it's used to register as a service with the service manager looks like it tries to even make changes to the boot config right BCD edits making changes to the boot status policy uh and even setting recovery enabled to be no ooh that's Grim we see WB admin in the mix again we see a couple more service stops and even shutting off the firewall nice you can see that setting the current profile whatever is active to just off so the firewall is no longer going to be running set op mode being disabled it's interesting to me that they do this like all in batches or Little Couples well they'll run the very same command with the cmd.exe with cmd.exe and then SLC again to denote an actual command to run and then they run that command so just some more processes to make this even louder and even easier to detect I guess definitely going to be generating a lot of signals there for a detection team to queue off of and log delete. bat wow makes this uh stick out like a sore thumb if it hadn't already WT till elel to take a look at the windows event logs and then cl to clear them let me show you that obviously this is much better dealt with in Powershell if you're actually like ass system administrator or someone trying to handle a lot of the windows event logs but the old school OG actual you know core utility here W VT utl forgive me uh is the event command line utility running on Old School cmd.exe all reliable old but gold but of course the thread actor tooling is cleaning up their fingerprints and trying to remove everything from the Windows Event log next we have loggy cleaner dobat ooh with a cool comment here oh I like that little hackers calling card super Elite created by luciferium luciferium how do you want to say that I can like feel the teenage angst with that Elite hacker name this includes the at Echo off boiler plate so you won't actually see the commands as they're executed did we see that in the others I feel like they just went right to it yeah no okay there is an ad Echo off here I should have explained that when we saw it the first time man I'm an awful educator anyway let me zoom out a smidge but honestly this looks like more of the same they're doing everything that the other files already did but now just in a different place oh there is a new one here they they beat up uh run mru so that is the uh registry key that will kind of contain a lot of again the history or cach information from the Run dialog box whenever you press the Windows key and r on your keyboard at the same time it pops open this but then you could take a look through all of the old commands that were ran previously oh there's a lot of sketchy stuff in mind they have another one here word wheel query I believe that is actually like what you type into the start menu as you open it up anything that you're kind of searching for within here that is a record also in the Windows registry next more damage done to the RDP cache uh again jumpless even flushing DNS with ip config nice clearing out the temporary director we haven't seen that yet before and temporary internet files from Internet Explorer or just other cached info uh from web browsers you can see Gro Chrome and here just as well and then down at the bottom more event log clearing all right basically stuff we've already seen medical. zip is where we can get into some of the fireworks but please let me hold that for a little bit longer along with ns. exe because I think we can clear through these batch scripts because apparently they're pretty easy and they're all the same just about before we dig into the executables themselves ooh I like this turnoff. bat actually trying to clear the recycle bin was this also luciferium doing I appreciate like the debug strings and output here but take a look they are using Rd to remove a directory a silent but look they enumerate all of the drive letters whether it's your C drive like C colon back slash or D or e or F or J or all of the letters of the alphabet to try to make sure no matter where your file system is actually mounted the recycle bin which is a folder by the way legitimate real actual like over on the desktop or all recycle Ben fella friend is the very same we can test that out if you don't believe me let me create just a quick new uh please sub. text file and then let me delete it and you can see it's populated in the recycle bin which as you can tell usually in Explorer it's just called recycle bin what is Explorer doing right now anyway right in explor it'll show you just recycle bin as the clean separated words title case with a space in between but C back/ dollar sign recycle.bin you can even see in the autocomplete it's kind of suggesting for a sid or my unique ID for a given user and the dollar sign R often times contains the like remnants left over from that file there's also a dollar sign I if you get into like recycle bin forensics but that's a whole another can of worms um it's compartmentalized by the Sid right so if I go back to the S whatever cache I can supply the Sid there and then you'll see there's our please sub. text yep sorry I spent way too long talking about the trash can on your computer and the windows recycle bin anyway start service off is actually trying to stop screen connect oh other remote control capabilities right Apache 2 Enterprise stuff TD service undelete log me in a lot of these remote monitoring and management or remote control pieces of software uh another sweet resource for you as we are scrolling through just the laundry list of services that it tries to stop wow look another resource for you lrmm doio online or LOL rmm it's the living off the land sort of curated list of remote monitoring and Management Solutions that could be used and abused by threat actors like Inc ransomware or any others there's a big long list here and this is a pretty cool archive collection uh good to note and something maybe to reference here and there anyway what other services will we stop I don't know we could play a certain amount of bingo here if you've got any votes for what else it could try to kill now with another task kill section again the same commands but look at everything they all just have it hardcoded and another okay Windows Event log clearing delete Shadow copies what why are they doing this how long is this file there's a lot of this here the fact that it's hardcoded though obviously again easy to detect Yara could be a good savior there all right I could keep scrolling forever uh but I don't think that's the most entertaining thing so we're going to try to speedrun the rest of this but look they do this over and over and over again for what is this 1,500 lines okay 1100 lines and then we got VM kill. bat which does more of the same again uh this time probably specific to Virtual machines VMware virtual box Solutions anything like that but finally now let's get to our executables the zip archives that I have been postponing to the end here uh what do we got to dig into win.exe is probably the most fun and enticing thing because we know that is the ransomware binary that is the encrypter so let's get back to our command line and I actually want to show you a couple things about these let me get to that investigation folder on the desktop and the tooling directory that we had here uh if I actually take a look at the file hash for all of these I'm going to use get file hash in Powershell with the star asterisk to glob for everything look it dumps uh well the hash but I also want to know the file so what I will do uh to clean that up is actually use the same command but pipe it to FL star I like to use that to quick and easy pull out everything that is just the Alias for format list and that should at least expose all of the properties and show them to me nice and easy so on a line here I can tell what's what the reason that I dragged us down this rabbit hole is that the Sha 256 hash for our win.exe doz is the very same as the hash for windows. zip now it goes without saying in my mind that the windows. zip and the uh win.exe doz while they are password protected because they are malware a default password infected usually thank you VX underground I'm glad we have spread that gospel let's extract the other one just as well obviously if I run this command again get file hash and now we're looking at the executables that were inside these two zip archives that had the same hash obviously they are going to have the exact same hash actually both zip archives had the file name saved as the hash of that binary which corresponds and why they kind of clobber themselves there's only one here because it's the exact same value that matches the shot 256 has of that all that is to say this file whether it was called windows.exe or win.exe as we saw it in the instant report that is the ransomware let's save those fireworks for the end but I want to also take a look at our ns. exe doz and our medical. ZIP uh let's start with medical because I've been alluding to that one for a little bit if we extract that out into its own folder uh really interesting it it actually has files that are the compiled ransomware binaries for different operating systems and architecture right you can see Windows there all is Lonesome uh but there's also Linux x86 Linux x64 Linux arm or risk V just crazy they even have the Linux compiled binary for esxi and myips uh obviously this medical. ZIP is just the collection of all of their tool chains like all of the ransomware binary possible compile architecture and solutions there but that means this whole package of their tool chain was pulled down onto the victim computer left there as a Remnant and artifact in this case but look with this being like an unprotected there's no password set on this ZIP archive this is probably another thing you could signature or fingerprint if you really wanted to now let's not forget about our ns. exe uh let me extract that one here that did have a password prepped for our tasking work this file given that shot to 56 has is the real ns. exe binary and uh we could go take a look at what that is we'll keep it simple I just want to look this up in virus total and actually since we have that hash uh we'll just copy paste that real quick and give that to virus total if for whatever reason you weren't familiar virus total is that awesome website and online resource where you can kind of test a file have it scanned against multiple antivirus Solutions and see how it goes looks like 51 out of 72 antivirus engines are saying this is Bad News Bears thereby dragons a popular threat label of hack tool net tool crisis M but while that gives us a quick check and that's doing some static analysis it would be worthwhile to do Dynamic analysis and actually run this in a sandbox and see what it looks like I'm going to press the Easy Button I like doing this in any runs Cloud sandbox cuz it's an immediate quick temporary and throwaway virtual machine Let's upload the file drop this in my desktop Windows 11 give it a little bit more time private analysis is good by me all right this is spinning up but the benefit of the sandbox is that it is interactive so we can honestly just click into it and have this extracted to our desktop uh we'll type in the password infected so we get to actually put this all together uh let's rename this executable so that is the ns. exe and if I double click on this to run it oh uh asky art oh goodness this is a little bit hard to read here we go that should be easier to see scan all Network by mask and mount shared folders as drives ooh okay cutesy tooling appreciate your time appreciate your time Network scan and can mount include check for unmounted local volumes 98 was added for Standalone usage uh what I just do the thing not 11 one and then it's trying to look for stuff so it's a network scanner right hence the name NS I think that's fair to say and also looking for shares drives and other things okay well ns. exe is neat I know we are probably most interested in the actual ransomware file itself so let's go ahead and try to run that as it would execute on the target computer so we'll invoke it with the same command line arguments flags and switches we saw in the report let me extract this super quick we can say infected and now let's try to open the command prompt at this directory once we change this to win.exe so let me grab that destination and then try to open up a start menu terminal here the font is very hard for me to read it just as well but we've got that executable ready let's try to grab the syntax to detonate it looking back in Sublime Text they ran this with the arguments D mode medium-- lhd Su and kill now let's try to run our win.exe and then we'll paste in that send it okay now I'll hit enter and fire up ransomware oh it's Powershell it needs to do forward SL at the start okay there we go ransomware oh it even displays count number of arguments D Mode medium ens and all that so uh looks like any run is tracking it uh I'm going to move my face here because I think yep okay you can see the little Tag Identifier it is noted as Inc or Inc of course malicious with a ransom note being found encryption capability y rules fire in all the things here that clearly make this bad now it says it did track down a ransom note so we could see that okay in basically any folder now uh let's go see can we get to our root of the file system and check to see now might be pretty tough to read but I do see the read me. text and we can open that in notepad and CR our Ransom note in Ransom uh your data is stolen and encrypted if you don't pay the ransom your data will be published on our tour darket site uh let's pull this out so it's easier to read do they change the wallpaper oh yeah they do let me stop anyone here so we could see the video and actually get probably a clearer picture of what that background really looked like pretty brutal right oh it's the full Ransom like the note that they leave behind just on your background so the ransom note says Inc Ransom your data is stolen encrypted if you don't pay the rans it will be published on our tour darket site the sooner you pay the ransom the sooner your company will be safe they include the onion URLs uh and that's surprising to me they even have a clear net domain Inc a.su ah and they got the usual bragados hey what guarantees we won't fool you you know it's a business blah blah blah they're on Twitter oh okay hashtag threw me for a loop there I didn't know Inc ransomware had an x.com account the everything app they have a different domain for chat than they do their their blog and their leak site but all the warnings hey don't make any changes don't go to the police ask the FBI for help typical you know just like intimidation scare tactic look I'm not going to comment on whether or not you should or shouldn't pay a ransom obviously it's totally your lifeblood your business your company um but it's just emboldening threat actors if you give them money they're spooky scary though here uh for those who have cyber insurance against ransomware attacks insurance companies require you to keep your insance information Secret in most cases the Cyber criminals will find your quotes like your deal your actual relationship so you'll know what like the deductibles are and uh how much that will still do damage to you despite Insurance not saying that to be Doom and Gloom just nature or the Beast so this is the ink Ransom uh onion League site and obviously it's just listing the victims there so I will do my darnest to redact that just if out of polite courtesy um but it's as real as it gets you know right I believe Inc Ransom has been going since 2023 so uh they've got quite a Quee here I've never actually seen their like tour chat oh I mean it's what you'd expect but different domain can I give it my unique ID can I chat with someone already registered oh probably from any run you know standard machine ID could I guess the password that would be really funny is it fancy pass can I reset my fake ransomware oh okay falling down the rabbit hole here anyway that's the gist I wanted to show you these files I want to show you these code these scripts the syntax even if it is boring stupid dumb Windows batch commands but look uh some cases it could still work but I think any EDR worth it salt is probably going to be lighting that up like a Christmas tree uh of course you can see plenty to Signal off of and r some more caneras and host isolation all these things kind of help put it together to lean on defense against ransomware and I hope there are a couple Neato forensic artifacts alluded to in there if you hadn't seen them before things like the windows jump list the word wheel CU registry key a lot of things that you could still kind of pick up on and all of these indicators of compromise artifacts whether it's miter attack techniques ttps or overall tradecraft cool things you could be hunting down if you are a cyberthreat Intel analyst or security operations CER fella folks individual or threat Hunter doing all that great work and if you are please do go take a look at feedle threat intelligence Link in the video description you want to make sure we give some love to the partners of the channel thanks so much for watching hope you enjoyed this video I'll see you in the next one