NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies

Jan 6, 2022

NOBELIUM is another name for the APT29 intrusion set¹, operated by a threat actor allegedly linked to the SVR (the Foreign Intelligence Service of the Russian Federation)². NOBELIUM has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers.

Despite the low sophistication level of its phishing campaigns targeting Windows, NOBELIUM is well known for its agility once inside the victim’s network. Its operators are careful, patient and masterize cutting edge intrusion techniques against the latest Microsoft technologies and services such as AzureAD. For example, NOBELIUM used a home made passive implant dubbed FoggyWeb to exfiltrate authentication tokens from ADFS servers in a stealthy way³.

NOBELIUM made the headlines a little over a year ago, following the discovery of a sophisticated supply chain attack against the Solarwinds software, compromising thousands with a validator dubbed “SunBurst”. Beyond its impact and its sophistication, the attack – as disclosed by Kaspersky – had an interesting overlap with a backdoor used by TURLA, an intrusion set that has been active for years and known to be allegedly linked to the Russian FSB. Joint operation between two Russian threat actors or NOBELIUM had access to the same code base? The question remains unanswered today but it is not the first time that overlaps between these two intrusion sets emerge

Throughout 2021 and following the SolarWinds attack, NOBELIUM engaged in spear phishing campaigns by using mails and social media messaging. These campaigns didn’t use any exploit to compromise Windows endpoints. They simply relied on malicious HTML attachments – called EnvyScout by Microsoft– with a pinch of social engineering. By opening the attachment, the HTML file extracts from itself an ISO file by using a technique dubbed HTML Smuggling. The ISO is then downloaded by the victim and automatically mounted on the victim’s workstation, leading at the end of the exploitation chain to execution of a CobaltStrike beacon.

New EnvyScout infection chain analysis.

On  October 21st, 2021, a new EnvyScout HTML file related to the NOBELIUM intrusion set (3d18bc4bfe1ec7b6b73a3fb39d490b64) matched one of our YARA rule on VirusTotal with a detection ratio of 1 on 56. The rule was done on the possible obfuscated variants of a JavaScript loop used in the EnvyScout initial file disclosed by Microsoft (32e0940e1715392280d4bdb514d9cf11).

Table 1. Comparaison of the two loops

It is worth noting that’s not the only resemblance between the two files, both also have the same headers, with the same MOTW comment, such as:

Extract 1. Headers in 32e0940e’ and 3d18bc4b’  files

As seen during other phishing campaigns reported in open-source, this file uses the “HTML Smuggling” technique to extract a malicious ISO file. By looking at its content, this file seems to have targeted at least one Iranian embassy, as shown below:

Figure 1. Message shown to the user by the HTML file 3d18bc4bfe1ec7b6b73a3fb39d490b64.

Following this first discovery, another similar HTML file came out in early december (b87073c34a910f20a83c04c8efbd4f43) but this time with no text except the title “Covid information”. The content may have been deleted by the submitters in order to prevent victim identification. However, the next infection chain stage revealed that it targeted at least one Turkey Embassy. It is worth noting that these EnvyScout files don’t contain any SMB trap, web bug, telemetry script or redirection to some 0day exploit targeting iOS as previously seen by Google TAG.

If we take a look at the ISO files metadata, the ISO volume name is the HTA file title and there are some interesting timestamps such as the “Root Directory Create Date” or the “Volume Create Date”. In the first sample, 3d18bc4bfe1ec7b6b73a3fb39d490b64, the timestamps values are 2021:10:20 11:27:18-07:00 (UTC time). Whereas in the second sample, which was uploaded a bit later on VirusTotal, the timestamps values are 2021:11:12 09:28:40-08:00 (UTC time).

These dates indicate the last time that the volume was mounted. Which is quite interesting as the ISO files were actually simply extracted and decoded from the HTML files. It seems therefore likely that NOBELIUM built the payloads (or tested its whole attack chain) at these dates. If that is indeed the case, it would mean that the first sample 3d18bc4bfe1ec7b6b73a3fb39d490b64 was created a day before it was uploaded to VirusTotal.

Unlike the previously described NOBELIUM spear phishing attacks disclosed by Microsoft, the downloaded ISO files no longer contained a malicious DLL and a shortcut aimed to launch that DLL. In both cases, the ISO simply embeds a malicious HTML Application (HTA) file, executing the rest of the exploitation chain. For the HTA file corresponding to the first HTML file (3d18bc4bfe1ec7b6b73a3fb39d490b64), the HTA file contains the same message as the HTML file. For the second HTML file (b87073c34a910f20a83c04c8efbd4f43), the HTA file contains a message similar to the first file but this time mentions an “Embassy of the Republic of Turkey”:

    Figure 2. The HTA b84c00ae9e7f9684b36d75a1a09f8210 message.


    Note the slight typos they made in this message at “transfered” (just like in the first HTML file) and “thes”.

    In both cases, the HTA file contains hidden HTML elements embedding the content of two different registry values. The first registry value carries a shellcode loader written in PowerShell dedicated to decode and load a shellcode, contained in the second registry value. Once the values are saved in the registry, the HTA launches a Powershell command line which will load and execute the content of the first registry key, as shown below:

    Extract 2. Extract of the HTA b84c00ae9e7f9684b36d75a1a09f8210.

    It is worth to note that prior to loading the shellcode, the registry keys containing the malicious payloads are deleted, a nice try to prevent forensic analysis. Furthermore, the registry key names differ in the two samples (Javasoft and MSOffice). In the two cases, the shellcode loads and executes in memory a DLL embedded in it. Both DLLs contain dozens of dead exports, are heavily obfuscated in the same manner with a lot of junk code and fake calls to the Windows API. They are used to decrypt and load an encrypted CS beacon splitted in seven different parts inside the DLL. To resume, they seem to act as the loader dubbed NativeZone (variant 1) as described by Microsoft in their blogpost.
    To summarize, you can see below the full infection chain used in these recent spear phishing attacks:

    Figure 3. Infection chain of 3d18bc4bfe1ec7b6b73a3fb39d490b64.

    Both CobaltStrike configurations were extracted easily and can be found in the Appendix. It is interesting to note that the public keys and the user-agent are the same. Furthermore, the user-agent should not be used often in real corporate environments as it is associated with Windows 8 and you could therefore look for that on your networks for hunting purposes.

    Two different C2s have been extracted, midcitylanews[.]com for the sample targeting Iran and dom-news[.]com for the sample targeting Turkey.

    Infrastructure analysis


    The domains
    midcitylanews[.]com and dom-news[.]com retrieved from the CobaltStrike beacons have been registered more than a year prior to their use by the threat actor which could indicate that NOBELIUM tried to prevent malicious domains detection based on their creation date.

    These domains resolved VPS IP addresses having their 80 and 443 ports open. They seem to have been configured by using an Nginx forwarder configuration for CobaltStrike C2 dubbed “cs2nginx” and available for anyone on Github

    However, even if the domains were registered a year ago, the associated C2 servers were set up around the end of september, 2021. Therefore, this time delta, the use of cs2nginx and the pattern of the typosquatting domains (e.g. the use on “news” keyword for many of them) can lead to some infrastructure illumination. Here is the infrastructure which can be grabbed by using this heuristic.

    Table 3. Infrastructure discovered possibly linked to NOBELIUM

    It is interesting to note that like the infrastructure disclosed by the CERT-FR in December, 2021¹⁰, this cluster is distributed between several autonomous systems, which seems also to be one characteristic of NOBELIUM. 

    During this investigation, we found other C2s servers using the same technique and potentially linked to other threat actors or red teams. We decided to publish this list in the appendix for threat hunting purposes in your network.

    Conclusion


    The infection chain and the indicators shown above suggest that NOBELIUM is associated with this attack campaign. After having burned EnvyScout against occidental targets, NOBELIUM seems to reuse this infection chain against other countries. However, due to the low complexity of the infection chain and the previous blog posts covering EnvyScout, it could be, although we write this with very low confidence, just another threat actor copycatting NOBELIUM.

      Tactics, Techniques and Procedures (TTPs)

      T1583.001 – Acquire Infrastructure: Domains
      T1583.003 – Acquire Infrastructure: Virtual Private Server
      T1566.001 – Phishing: Spearphishing Attachment
      T1566.003 – Phishing: Spearphishing via Service
      T1059.001 – Command and Scripting Interpreter: PowerShell
      T1204.002 – User Execution: Malicious File
      T1027.006 – Obfuscated Files or Information: HTML Smuggling
      T1071.001 – Application Layer Protocol: Web Protocols

      Related IOCs
      The IOCs are provided “as is”. All the IOCs can be downloaded in JSON STIX2.1 and CSV formats on the SEKOIA.IO Github: https://github.com/SEKOIA-IO/Community/tree/main/IOCs

       

      Domains

      crochetnews[.]com
      dom-news[.]com
      readnewshot[.]com
      pharaosjournal[.]com
      bfilmnews[.]com
      theanalyticsnews[.]com
      galatinonews[.]com
      midcitylanews[.]com
      muslimnewsdaily[.]com

       

      IP Addresses

      31.42.177[.]78
      158.255.211[.]40
      45.14.70[.]186
      46.102.152[.]118
      139.99.178[.]56
      95.183.51[.]161
      195.144.21[.]159
      103.232.53[.]230
      194.62.42[.]109

       

      Other domains suspected to use cs2nginx

      These domains are suspected to use cs2nginx. We haven’t been able to link them to NOBELIUM and they could be related to other threats. They are provided “as is”, only for hunting purposes in your own network.

      
      updates.uk[.]com
      onlinebusinessadviceuk[.]com
      assets.completehealthcareuk[.]net
      d2rwiki[.]net
      taiwancht[.]com
      herosofthestorms[.]com
      note.legendsec[.]net
      faststartbusiness[.]com
      msdnsvc[.]com
      assets.bettendorfhealthcare[.]com
      eblogpro[.]com
      getdsoft[.]com
      themobilecard[.]com
      c***solutions[.]support
      v*****managernent[.]com
      e*****x[.]me
      img.microsoftupdate.cc 
      windows.msgetupdate.com 
      fwd.splunk.eu.com 
      file.updateswindows.com
      

       

      Files MD5 hashes

      054940ba8908b9e11f57ee081d1140cb
      b84c00ae9e7f9684b36d75a1a09f8210
      3d18bc4bfe1ec7b6b73a3fb39d490b64
      b87073c34a910f20a83c04c8efbd4f43
      d4fdf63d88da2d59569bb621b18bf5e4
      41dd8cee47c036e7e9e92c395c5d1feb
      b7ca8c46dc1bfc1d9cb9ce04a4928153
      cc08a6df151b8879a4969b2e99086b48
      4365057ef0c5a9518d95d53eab5995a8
      Yara rules

      rule apt_nobelium_powsershell_reg_loader_decoded {
          meta:
              id = c8ee9c40-fa28-4b9a-98e8-88ccc4a16091
              description = Matches the decoded version of the Powershell loader stored in the registry
              version = 1.0
              creation_date = 2021-12-07
              modification_date = 2021-12-07
              classification = TLP:WHITE
              source=SEKOIA
          strings:
              $x = FromBase64String((gp HKCU:\\\\SOFTWARE\\\\
              $y = Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\
              $z = Invoke([IntPtr]::Zero)
         condition:
              filesize < 3KB and
              $x and #y == 2 and
              $z at (filesize-22)

      }

      rule apt_nobelium_hta_reg_dropper {
          meta:
              id = 9f6a2154-c33a-4c38-9667-7479bf49c310
              description = Matches HTA dropper file used by NOBELIUM and ISO files containing it
              hash = 054940ba8908b9e11f57ee081d1140cb
              hash = b7ca8c46dc1bfc1d9cb9ce04a4928153
              version = 1.0
              creation_date = 2021-12-07” 
              modification_date = 2021-12-07
              classification = TLP:WHITE
              source=SEKOIA
          strings:
              $w = RegWrite( nocase
              $x = { 2b 3d 20 64 6f 63 75 6d
                         65 6e 74 2e 67 65 74 45
                         6c 65 6d 65 6e 74 42 79
                         49 64 28 22 [0-4] 22 29
                         2e 69 6e 6e 65 72 48 54
                         4d 4c }
              $y = <body onload= nocase
              $z = hidden nocase
          condition:
              $y and
             (3 < #z) and
             (3 < #x) and
             (1 < #w)

      }

      rule apt_nobelium_hta_in_iso {
           meta:
               id = 874ab41b-5c60-4303-8776-e1c10313a401
              description = Matches ISO file embedding HTA
              hash = d4fdf63d88da2d59569bb621b18bf5e4
              hash = cc08a6df151b8879a4969b2e99086b48
              version = 1.0
              creation_date = 2021-12-02” 
              modification_date = 2021-12-02
              classification = TLP:WHITE
              source=SEKOIA
          strings:
              $ = ImgBurn v2
              $ = <hta:application
          condition:
              all of them and
              filesize > 1MB and
              filesize < 3MB 

      }

      rule apt_nobelium_html_smuggling_iso {
          meta:
              id = 9bd5b626-8ea3-4607-a858-58deff18396c
              version = 1.0
              description = Detect HTML smuggling with ISO
              hash = b87073c34a910f20a83c04c8efbd4f43” 
              hash = 3d18bc4bfe1ec7b6b73a3fb39d490b64
              source = SEKOIA
              creation_date = 2022-01-02” 
              modification_date = 2022-01-02
              classification = TLP:WHITE
          strings:
              $ = new Blob
              $ = .click();
              $ = { 28 [1-20] 2c 22 [1-20]
                       2e 69 73 6f 22 2c 22 61
                       70 70 6c 69 63 61 74 69
                       6f 6e 2f 78 2d 63 64 2d
                       69 6d 61 67 65 22 29 }
          condition:
              filesize > 1MB and filesize < 2MB and all of them

      }

      rule apt_nobelium_b64_to_Uint8Array {
          meta:
              id = 66c9b00b-f021-4115-b9ec-d1e1f491ce72
              description = Detect Base64 decode to Uint8Array used in NOBELIUM HTML files
              hash = 3d18bc4bfe1ec7b6b73a3fb39d490b64
              version = 1.0
              creation_date = 2021-12-02” 
              modification_date = 2021-12-02
              classification = TLP:WHITE
              source=SEKOIA
          strings:
              $a1 = atob(
              $l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b }
              $l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b }
              $a2 = new Uint8Array
          condition:
              $l0 in (@a1..@a2) and
              $l1 in (@a1..@a2) and
              filesize > 1MB and filesize < 3MB 

      }

      import pe
      rule apt_nobelium_cs_loader_obfuscation {
          meta:
              id = 5f21b031-3dc1-4dad-b775-6099bfcb0472
              version = 1.0
              description = Detect obfuscated CobaltStrike loaders used by NOBELIUM”    
              hash = 41dd8cee47c036e7e9e92c395c5d1feb
              hash = 4365057ef0c5a9518d95d53eab5995a8
              source = SEKOIA
              creation_date = 2022-01-04
              modification_date = 2022-01-04
              classification = TLP:WHITE
          strings:
              $j1 = { DD 05 ?? ?? ?? ?? DD 9D }
              $j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }
              $c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }
          condition:
              pe.characteristics & pe.DLL and
              pe.number_of_exports > 20 and
              filesize > 300KB and filesize < 400KB and
              #j1 > 50 and #j2 > 50 and #c1 == 2

       }

      Sigma rule

      id: d9114938-6877-48d8-a785-bc07cb7220ff
      title: PowerShell invoking in the command line a registry value to execute.
      description: Detects a d9114938 execution which grabs a value in the windows registry to execute it.
      references:

          – MD5 hash: b84c00ae9e7f9684b36d75a1a09f8210

          – MD5 hash: 054940ba8908b9e11f57ee081d1140cb

      status: experimental
      author: ‘SEKOIA.IO’
      date: 2022/01/03
      tags:
          – attack.T1059.001
      logsource:
          category: process_creation
          product: windows
      detection:
          selection:
              Image|contains: ‘powershell’
              CommandLine|contains: ‘HKCU’
          selection2
              CommandLine|contains:
                  – ‘invoke-expression’
                  – ‘iex’
              CommandLine|contains:
                  – ‘gp’
                  – ‘Get-ItemProperty’
          condition: selection and selection2
      level: medium

      Registry Keys

      HKCU\SOFTWARE\MSOffice\Version
      HKCU\SOFTWARE\MSOffice\path
      HKCU\SOFTWARE\JavaSoft\Ver
      HKCU\SOFTWARE\JavaSoft\Ver2

      CobaltStrike configurations

      Configuration of the CobaltStrike beacon launched from the Iranian decoy (from 1768.py, Didier Stevens’ tool):

      Config found: xorkey b’.’ 0x00000000 0x000041f0
      0x0001 payload type                     0x0001 0x0002 8 windows-beacon_https-reverse_https
      0x0002 port                             0x0001 0x0002 443
      0x0003 sleeptime                        0x0002 0x0004 60000
      0x0004 maxgetsize                       0x0002 0x0004 1398104
      0x0005 jitter                           0x0001 0x0002 30
      0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bbe38fb5bc87449bf0d9214cd713d8f2b81e8c5705ca8e5cd0965376322c9f5fcfdbd647ca208c02ecb130593d516837b167992a49dbd6febe34541c30bc988dcb5742e3a7a44549d7b3364fe88e914bcca01c0175668d10f4c36c94bc33e348197824611eb4a3341f10c5b02080b02bcf62fb020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      0x0008 server,get-uri                   0x0003 0x0100 ‘midcitylanews.com,/news/update/aaa’
      0x000e SpawnTo                          0x0003 0x0010 (NULL …)
      0x001d spawnto_x86                      0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’
      0x001e spawnto_x64                      0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’
      0x001f CryptoScheme                     0x0001 0x0002 0
      0x001a get-verb                         0x0003 0x0010 ‘GET’
      0x001b post-verb                        0x0003 0x0010 ‘POST’
      0x001c HttpPostChunk                    0x0002 0x0004 0
      0x0025 license-id                       0x0002 0x0004 1359593325
      0x0026 bStageCleanup                    0x0001 0x0002 0
      0x0027 bCFGCaution                      0x0001 0x0002 0
      0x0009 useragent                        0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’
      0x000a post-uri                         0x0003 0x0040 ‘/form/sent/ppw’
      0x000b Malleable_C2_Instructions        0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’
      0x000c http_get_header                  0x0003 0x0200
          Content-Type: text/html
          Cache-Control: no-cache
          v1.5472
      0x000d http_post_header                 0x0003 0x0200
          !Content-Type: multipart/form-data
          Cache-Control: no-cache
          /.jpg
      0x0036 HostHeader                       0x0003 0x0080 (NULL …)
      0x0032 UsesCookies                      0x0001 0x0002 0
      0x0023 proxy_type                       0x0001 0x0002 2 IE settings
      0x003a                                  0x0003 0x0080 ‘\x00\x05\x90’
      0x0039                                  0x0003 0x0080 ‘\x00\x05p’
      0x0037                                  0x0001 0x0002 0
      0x0028 killdate                         0x0002 0x0004 0
      0x0029 textSectionEnd                   0x0002 0x0004 0
      0x002b process-inject-start-rwx         0x0001 0x0002 4 PAGE_READWRITE
      0x002c process-inject-use-rwx           0x0001 0x0002 32 PAGE_EXECUTE_READ
      0x002d process-inject-min_alloc         0x0002 0x0004 17500
      0x002e process-inject-transform-x86     0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
      0x002f process-inject-transform-x64     0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
      0x0035 process-inject-stub              0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’
      0x0033 process-inject-execute           0x0003 0x0080 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\x00Q\x00\x00\x00\rkernel32.dll\x00\x00\x00\x00\rLoadLibraryA\x00\x04’
      0x0034 process-inject-allocation-method 0x0001 0x0002 1
      0x0000
      Guessing Cobalt Strike version: 4.1+ (max 0x003a)

       Configuration of the CobaltStrike beacon launched from the Turkish decoy (from 1768.py, Didier Stevens’ tool):

       Config found: xorkey b’.’ 0x00000000 0x0000bff0
      0x0001 payload type                 0x0001 0x0002 8 windows-beacon_https-reverse_https
      0x0002 port                         0x0001 0x0002 443
      0x0003 sleeptime                    0x0002 0x0004 60000
      0x0004 maxgetsize                   0x0002 0x0004 1398104
      0x0005 jitter                       0x0001 0x0002 30
      0x0007 publickey                    0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bbe38fb5bc87449bf0d9214cd713d8f2b81e8c5705ca8e5cd0965376322c9f5fcfdbd647ca208c02ecb130593d516837b167992a49dbd6febe34541c30bc988dcb5742e3a7a44549d7b3364fe88e914bcca01c0175668d10f4c36c94bc33e348197824611eb4a3341f10c5b02080b02bcf62fb020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
      0x0008 server,get-uri               0x0003 0x0100 ‘dom-news.com,/info/www/robot’
      0x000e SpawnTo                      0x0003 0x0010 (NULL …)
      0x001d spawnto_x86                  0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’
      0x001e spawnto_x64                  0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’
      0x001f CryptoScheme                 0x0001 0x0002 0
      0x001a get-verb                     0x0003 0x0010 ‘GET’
      0x001b post-verb                    0x0003 0x0010 ‘POST’
      0x001c HttpPostChunk                0x0002 0x0004 0
      0x0025 license-id                   0x0002 0x0004 1359593325
      0x0026 bStageCleanup                0x0001 0x0002 0
      0x0027 bCFGCaution                  0x0001 0x0002 0
      0x0009 useragent                    0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’
      0x000a post-uri                     0x0003 0x0040 ‘/assets/image/awd’
      0x000b Malleable_C2_Instructions    0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’
      0x000c http_get_header              0x0003 0x0200
          Content-Type: text/html
          Cache-Control: no-cache
          .html
          Cookie
      0x000d http_post_header             0x0003 0x0200
          Content-Type: image/jpeg
          Accept-Encoding: gzip, deflate
          Cache-Control: no-cache
          /.png
      0x0036 HostHeader                   0x0003 0x0080 (NULL …)
      0x0032 UsesCookies                  0x0001 0x0002 1
      0x0023 proxy_type                   0x0001 0x0002 2 IE settings
      0x003a                              0x0003 0x0080 ‘\x00\x05\x90’
      0x0039                              0x0003 0x0080 ‘\x00\x05p’
      0x0037                              0x0001 0x0002 0
      0x0028 killdate                     0x0002 0x0004 0
      0x0029 textSectionEnd               0x0002 0x0004 0
      0x002b process-inject-start-rwx     0x0001 0x0002 4 PAGE_READWRITE
      0x002c process-inject-use-rwx       0x0001 0x0002 32 PAGE_EXECUTE_READ
      0x002d process-inject-min_alloc     0x0002 0x0004 17500
      0x002e process-inject-transform-x86 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
      0x002f process-inject-transform-x64 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’
      0x0035 process-inject-stub          0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’
      0x0033 process-inject-execute       0x0003 0x0080 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\x00Q\x00\x00\x00\rkernel32.dll\x00\x00\x00\x00\rLoadLibraryA\x00\x04’
      0x0034 process-inject-allocation-method 0x0001 0x0002 1
      0x0000
      Guessing Cobalt Strike version: 4.1+ (max 0x003a)

      Chat with our team!

      Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cyber security project in your organization? Make an appointment and meet us!

      Échangez avec l’équipe

      Vous souhaitez en savoir plus sur nos solutions de protection ? Vous voulez découvrir nos produits de XDR et de CTI ? Vous avez un projet de cybersécurité dans votre organisation ? Prenez rendez-vous et rencontrons-nous !