T9

T9-24–01–M–NE–CLM

SMBGhost + Ransomware

This attack is a combination of T2-24-01-S-N-CL and T4-24–01–S–E–M and three logs collected: two pcap and one evtx.

1. Reverse Shell Connection by exploiting SMBGhost Vulnerability
2. Download Ransomware and add in the registry
3. Execute Ransomware and infect after rebooting the victim PC

The attacker performs a reverse shell connection via the Windows 10 SMB vulnerability using a T2-24-01-S-N-CL attack. Using curl commands the attacker downloads and exectes CryptoWire ransomware in T4-24-01-S-E-M. In addition to encrypting the home directory, the ransomware performs additional behaviors, such as deleting Volume Shadow and registering a Scheduler, and demands a ransom for decryption.

	OS	IP	Software	Log collection time	Program runtime
Attacker	Windows 11	192.168.56.1	-	160 sec	200 sec
Victim	Windows 10(1903)	192.168.56.112 (Internal) 10.0.3.15 (External)	SMB	160 sec	200 sec

Installing

python3 -m pip install -r requirements.txt

Using

python3 run.py

MITRE ATT&CK Framework

Attack Tactic
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion
Credential	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

Logs

./log/2024_01_T9_{time}.evtx # YYmmdd_HHMMSS
./log/2024_01_T9_{time}_1.pcap # YYmmdd_HHMMSS
./log/2024_01_T9_{time}_2.pcap # YYmmdd_HHMMSS

References

[1] NIST [CVE-2020-0796]
[2] ZecOps [CVE-2020-0796 Remote Code Execution POC]
[3] Ahnlab ASEC [CryptoWire with Decryption Key Included]
[4] VirusTotal [bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f]
[5] GitHub [CryptoWire Open Source]

※ Click on the attack name to see a description and scenario for the attack