ioc[.]one - OSINT Cyber Threat Intelligence Database

LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers

Tags

attack-pattern:

Data Exploits - T1587.004 Exploits - T1588.005 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	abda742b-98b9-44b8-9300-1ad53af87fe5
Fingerprint	373384d18e26e4cb
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 20, 2021, midnight
Added to db	Sept. 11, 2022, 12:41 p.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
Title	LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
Detected Hints/Tags/Attributes	53/1/47

Source URLs

	Redirection	Url
Details	Source	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows

URL Provider

Details	Provider	Source level domain
Details	security.com	symantec-enterprise-blogs.security.com

Attributes

Details	Type	#Events	Value
Details	CVE	26	cve-2021-36942
Details	CVE	168	cve-2021-34473
Details	CVE	142	cve-2021-34523
Details	Domain	4127	github.com
Details	File	5	efspotato.exe
Details	File	4	active_desktop_render.dll
Details	File	3	active_desktop_launcher.exe
Details	File	196	desktop.ini
Details	File	1	autologin.bat
Details	File	1	autologin.exe
Details	File	1	autologin.dll
Details	File	1	autologin.sys
Details	File	3	autoupdate.exe
Details	File	1	autlogin.dll
Details	File	1	tanikaze.dll
Details	Github username	2	zcgonvh
Details	Github username	14	hfiref0x
Details	md5	1	957af740e1d88fabdaf73bd619cb3d31
Details	md5	1	f08e24f57501f2c4e009b6a7d9249e99
Details	md5	1	bc70a7b384558cafbbc04f00a59cbe8d
Details	md5	1	8ed32ace2fbce50296d3a1a16d963ba7
Details	md5	1	8d17765168677ef76400b497fb0c0fd3
Details	md5	1	1f0a89360bb9471af8b2b1136eafd65f
Details	md5	1	335b9a537a380ec5936a7210ad64d955
Details	md5	1	2163489886929ffc596983d42965a670
Details	md5	1	ef37842fc159631f9dd8f94c5e05a674
Details	md5	1	435b568f7ac982b58ab86e8680d9042e
Details	md5	1	49dd23214007c7f839eebcd83a3c9465
Details	md5	1	d51dff297c293bac5871a9b82e982103
Details	md5	1	52e1fed4c521294c5de95bba958909c1
Details	sha256	1	ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291
Details	sha256	1	cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915
Details	sha256	1	36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9
Details	sha256	1	5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f
Details	sha256	1	1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75
Details	sha256	1	2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
Details	sha256	1	7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd
Details	sha256	1	c020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153
Details	sha256	1	a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0
Details	sha256	1	368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690
Details	sha256	1	d030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a
Details	sha256	1	a0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8
Details	sha256	1	bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce
Details	IPv4	4	209.14.0.234
Details	Url	1	http://209.14.0.234:46613/vcetrkighyifs5fognxh
Details	Url	1	https://github.com/zcgonvh/efspotato.
Details	Url	2	https://github.com/hfiref0x/kdu