Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

Date: 02/04/2025

Severity: High

Summary

This intrusion began in late January 2024 when a user downloaded and executed a file named setup_wm.exe, which mimicked the legitimate Microsoft Windows Media Configuration Utility. The file was actually a Cobalt Strike beacon, establishing an outbound connection upon execution. About 30 minutes later, the beacon ran discovery commands, starting with nltest to locate domain controllers. With elevated permissions from the compromised account, the attacker used SMB and remote services to deploy two proxy tools—SystemBC and GhostSOCKS—onto a domain controller.

Indicators of Compromise (IOC) List

Domains\Urls :

https://accessservicesonline.com/setup_wm.exe

user.compdatasystems.com

compdatasystems.com

retailadvertisingservices.com

IP Address :

31.172.83.162

159.100.14.254

185.236.232.20

91.142.74.28

195.2.70.38

38.180.61.247

93.115.26.127

46.21.250.52

Hash :

6505b488d0c7f3eaee66e3db103d7b05

bf2b396b8fb0b1de27678aab877b6f177546d1c5

b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63

671b967eb2bc04a0cd892ca225eb5034

ab1777107d9996e647d43d1194922b810f198514

b79bb3302691936df7c3315ff3ba7027f722fc43d366ba354ac9c3dac2e01d03

03af38505cee81b9d6ecd8c1fd896e0e

1ac66fcc34c0b86def886e4e168030dae096927c

2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4

0f7b6bb3a239cf7a668a8625e6332639

5263a135f09185aa44f6b73d2f8160f56779706d

18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88

ea327ed0a3243847f7cd87661e22e1de

450d54d5737164579416ca99af1eb3fa1d4aaff9

ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175

57f791f7477b1f7a1b3605465d054db8

bba1bc3ebf07ca3c4e2442f0ba9ea18383ce627b

d8b2d883d3b376833fa8e2093e82d0a118ba13b01a2054f8447f57d9fec67030

6e91c474d90546845b1f3f9e7a33411a

9352236ad6fe8835979cf11ba5033f8f2fef0f19

3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9

0aa05ebc3b6667954898cfccc4057600

c59cbd309b3393cb08a1133364ed11000fdd418d

44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6

2800a10c4afae44978d906b2abaed745

84019de427aef1f1e4f32b579767bee6d0bd1e64

c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835

d9adb3dd6df169e824b2867a2b8cba89

b077ea03b207cc8b8b48b9b4f9a58dabbd39f678

7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d

71c8c1a0056fd084bc32a03d9245ad10

5de1f72ffeea1ecbd287b0ca8ddb2c5264d9acb5

59c9d10f06f8cb2049df39fb4870a81999fd3f8a79717df9b309fadeb5f26ef9

573a213191985c555dd7e8de5f0a9cae

aa19a1648d680c3bfbee7dcc3df41ce98af8e121

ba9b879fdc304bd7f5554528fb8e858ef36ad4657fedfefb8495f43ce73fc6f1

4457256150386acec794e9e8ee412691

c6d54322a17e754150e61f7caa91226a84b0b774

10ce939e4ee8b5285d84c7d694481ebbdf986904938d07f7576d733e830ed012

6d44c5fb49258f285769e50830fc59af

da6771fbbcfaf195b80925cefc880794d62d61bf

3af3f2d08aa598ab4f448af1b01a5ad6c0f8e8982488ebf4e7ae7b166e027a8b

40852fde665eb9119fcc565bd68de680

956e020206c4dc4240537d07be022e86ed918ed1

578a2ac45e40a686a5f625bbc7873becd8eb9fe58ea07b1d318b93ee0d127d4e

996ad32c7ae2190b7fa7876df0d7b717

4a1e667e0c3550f4446903570adbe7776699d4ca

791157675ad77b0ae9feabd76f4b73754a7537b7a9a2cc74bd0924d65be680e1

90f9044cfee2c678fe51abd098bdfe97

e3619582f4d81ca180dee161bbe49d499b237119

c4863cc28e01713e6a857b940873b0e5caedfd1fcb9b2a8d07ffb4c0c48379d5

b254f8f03e61bd9469df66c189d79871

45337ae989cd62d07059f867ce62ff6b6fc90819

9bcaad9184b182965923a141f52fb75ddd1975b99ab080869896cee5879ecfad

4794accd22271a28547fb3613ee79218

ccc6b5bf9591fa9a3d57fd48ee0c9c49a6d22da9

53828f56c6894a468a091c8858d2e29144b68d5de8ff1d69a567e97aac996026

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls :	userdomainname like "user.compdatasystems.com" or url like "user.compdatasystems.com" or userdomainname like "compdatasystems.com" or url like "compdatasystems.com" or userdomainname like "https://accessservicesonline.com/setup_wm.exe" or url like "https://accessservicesonline.com/setup_wm.exe" or userdomainname like "retailadvertisingservices.com" or url like "retailadvertisingservices.com"
IP Address :	dstipaddress IN ("31.172.83.162","159.100.14.254","91.142.74.28","185.236.232.20","195.2.70.38","38.180.61.247","93.115.26.127","46.21.250.52") or ipaddress IN ("31.172.83.162","159.100.14.254","91.142.74.28","185.236.232.20","195.2.70.38","38.180.61.247","93.115.26.127","46.21.250.52") or publicipaddress IN ("31.172.83.162","159.100.14.254","91.142.74.28","185.236.232.20","195.2.70.38","38.180.61.247","93.115.26.127","46.21.250.52") or srcipaddress IN ("31.172.83.162","159.100.14.254","91.142.74.28","185.236.232.20","195.2.70.38","38.180.61.247","93.115.26.127","46.21.250.52")
Hash 1 :	md5hash IN ("57f791f7477b1f7a1b3605465d054db8","0f7b6bb3a239cf7a668a8625e6332639","0aa05ebc3b6667954898cfccc4057600","ea327ed0a3243847f7cd87661e22e1de","03af38505cee81b9d6ecd8c1fd896e0e","6e91c474d90546845b1f3f9e7a33411a","6505b488d0c7f3eaee66e3db103d7b05","671b967eb2bc04a0cd892ca225eb5034","671b967eb2bc04a0cd892ca225eb5034","2800a10c4afae44978d906b2abaed745","d9adb3dd6df169e824b2867a2b8cba89","71c8c1a0056fd084bc32a03d9245ad10","573a213191985c555dd7e8de5f0a9cae","4457256150386acec794e9e8ee412691","40852fde665eb9119fcc565bd68de680","996ad32c7ae2190b7fa7876df0d7b717","90f9044cfee2c678fe51abd098bdfe97","b254f8f03e61bd9469df66c189d79871","4794accd22271a28547fb3613ee79218")
Hash 2 :	sha1hash IN ("1ac66fcc34c0b86def886e4e168030dae096927c","5263a135f09185aa44f6b73d2f8160f56779706d","bba1bc3ebf07ca3c4e2442f0ba9ea18383ce627b","c59cbd309b3393cb08a1133364ed11000fdd418d","bf2b396b8fb0b1de27678aab877b6f177546d1c5","ab1777107d9996e647d43d1194922b810f198514","450d54d5737164579416ca99af1eb3fa1d4aaff9","9352236ad6fe8835979cf11ba5033f8f2fef0f19","84019de427aef1f1e4f32b579767bee6d0bd1e64","b077ea03b207cc8b8b48b9b4f9a58dabbd39f678","5de1f72ffeea1ecbd287b0ca8ddb2c5264d9acb5","aa19a1648d680c3bfbee7dcc3df41ce98af8e121","da6771fbbcfaf195b80925cefc880794d62d61bf","956e020206c4dc4240537d07be022e86ed918ed1","4a1e667e0c3550f4446903570adbe7776699d4ca","e3619582f4d81ca180dee161bbe49d499b237119","45337ae989cd62d07059f867ce62ff6b6fc90819","ccc6b5bf9591fa9a3d57fd48ee0c9c49a6d22da9")
Hash 3 :	sha256hash IN ("18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88","d8b2d883d3b376833fa8e2093e82d0a118ba13b01a2054f8447f57d9fec67030","44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6","b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63","b79bb3302691936df7c3315ff3ba7027f722fc43d366ba354ac9c3dac2e01d03","2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4","ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175","3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9","c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835","7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d","59c9d10f06f8cb2049df39fb4870a81999fd3f8a79717df9b309fadeb5f26ef9","ba9b879fdc304bd7f5554528fb8e858ef36ad4657fedfefb8495f43ce73fc6f1","10ce939e4ee8b5285d84c7d694481ebbdf986904938d07f7576d733e830ed012","3af3f2d08aa598ab4f448af1b01a5ad6c0f8e8982488ebf4e7ae7b166e027a8b","578a2ac45e40a686a5f625bbc7873becd8eb9fe58ea07b1d318b93ee0d127d4e","791157675ad77b0ae9feabd76f4b73754a7537b7a9a2cc74bd0924d65be680e1","9bcaad9184b182965923a141f52fb75ddd1975b99ab080869896cee5879ecfad","53828f56c6894a468a091c8858d2e29144b68d5de8ff1d69a567e97aac996026")

Reference:

https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/#indicators

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments